I’m an independent security researcher focused on vulnerability discovery in widely-deployed infrastructure: operating system kernels, hypervisors, and language runtimes. My public work includes a SQL injection in the Django ORM (CVE-2025-64459) and a use-after-free in CPython’s perf_trampoline (Issue #143228). Additional findings in kernel and confidential-computing targets are under coordinated disclosure and will be published here after patches ship.

I’m currently reading Cyber Security at the University of Warwick.

Writing

2026 · Hunting concurrency bugs: a race condition in CPython’s perf_trampoline
Use-after-free in CPython’s profiler trampoline teardown. Reported as Issue #143228; fixed via arena refcounting in 3.13/3.14.

2025 · SQL injection in the Django ORM (CVE-2025-64459)
Unsafe string formatting of the Q object connector allows injection into WHERE clauses via Q(**user_input). Fixed in Django 5.1.14, 4.2.26, and 5.2.8.

All writing →