At last, a use case for AI agents with sky-high ROI: Stealing crypto
Boffins outsmart smart contracts with evil automation
AI + ML
10 Jul 2025 | 14
> I think we shouldn't mark a bug as 'security vulnerability' unless we have some evidence showing it can (or at least, may) be exploited," he wrote, adding that nonetheless 3.0.5 should be released as soon as possible because it's very severe.
> v
> "I'm not sure I understand how it's not a security vulnerability," responded Gaynor. "It's a heap buffer overflow that's triggerable by things like RSA signatures, which can easily happen in remote contexts (e.g. a TLS handshake)."
Personally, I think they're both right.
We need to be careful about labelling things as vulnerabilities if there isn't any evidence that they might be exploitable. Otherwise, much like the vim example, you get a wash of "security vulnerabilities" which'll lead to operators, users and admins becoming complacent about installing patches (oh they label everything a vulnerability nowadays....), negatively impacting the chances of getting fixes for exploitable issues installed quickly.
But, that doesn't mean that *this* instance shouldn't be called a vulnerability - it's got all the makings of one, it's remotely triggerable using something the other end has control over, all that's really missing is that no-one's (yet) figured out how to misuse it. Whilst they might never do (a buffer overflow is never good, but it's also not always exploitable), the fact that it can be triggered remotely creates a window of opportunity for anyone that can figure it out. So the second quote is right too.
I'm not sure I agree with the assessment that this is worse than Heartbleed, the "badness" of a vulnerability is about more than what you can do with it (after all, we don't describe privilege escalation bugs as "worse than heartbleed"): the real-world applicability has to be considered too.
This vulnerability applies to a (very) limited subset of installs, which need to be using specific hardware. Heartbleed affected (more or less) anyone running almost any version of OpenSSL that was available - you could do less with it (at least directly), but you could use it against the majority of services on the web. In my book, that's much worse. This still needs fixing though.
Biting the hand that feeds IT
