@hex@kolektiva.social2026-05-02 07:37:10
"Nobody connected the 2017 in-place optimization to authencesn's scratch writes or to the splice path's use of page cache pages. Each change was reasonable in isolation. The vulnerability exists at the intersection of all three, and has been silently exploitable for nearly a decade."
Basically, a 6 year old bit of code that was not vulnerable when written became vulnerable after multiple API changes. So this is really a tech debt problem.