I’m an independent security researcher focused on vulnerability discovery in widely-deployed infrastructure: operating system kernels, hypervisors, and language runtimes. My public work includes a SQL injection in the Django ORM (CVE-2025-64459), a use-after-free in CPython’s perf_trampoline (Issue #143228), a guest-to-host escape chain in QEMU’s CXL Type 3 mailbox emulation (writeup), and a guest-triggered heap out-of-bounds in KVM’s SEV-SNP page-state-change handling (writeup). Additional findings in kernels, web servers, and hypervisors are under coordinated disclosure and will be published here after patches ship.

I’m currently an undergrad studying cyber at the University of Warwick.

Writing

2026 · Heap out-of-bounds in KVM SEV-SNP via the GHCB page-state-change handler
A malicious SEV-SNP guest can corrupt the host kernel heap and leak its layout through KVM’s GHCB scratch handling for page state change requests. Reported to security@kernel.org; fixed in mainline (db3f219), CVE pending.

2026 · Guest-to-host escape via QEMU CXL Type 3 mailbox overflows
Three bugs in QEMU’s CXL mailbox emulation chain into a deterministic VM escape with full ASLR bypass in four mailbox commands. Reported to qemu-security; classified as non-security per CXL policy scope.

2026 · Hunting concurrency bugs: a race condition in CPython’s perf_trampoline
Use-after-free in CPython’s profiler trampoline teardown. Reported as Issue #143228; fixed via arena refcounting in 3.13/3.14.

2025 · SQL injection in the Django ORM (CVE-2025-64459)
Unsafe string formatting of the Q object connector allows injection into WHERE clauses via Q(**user_input). Fixed in Django 5.1.14, 4.2.26, and 5.2.8.

All writing →