cyberstan

Stan Shaw

I’m an independent security researcher focused on vulnerability discovery in widely-deployed infrastructure: operating system kernels, hypervisors, and language runtimes. My public work includes a SQL injection in the Django ORM (CVE-2025-64459), a use-after-free in CPython’s perf_trampoline (Issue #143228), a guest-to-host escape chain in QEMU’s CXL Type 3 mailbox emulation (writeup), a guest-triggered heap out-of-bounds in KVM’s SEV-SNP page-state-change handling (writeup), and an independently-discovered local privilege escalation in the Linux DRM GEM subsystem (writeup). Additional findings in web servers, and hypervisors are under coordinated disclosure and will be published here after patches ship.

I’m currently an undergrad studying cyber at the University of Warwick.

Contact

Writing

Kernel LPE2026 · CVE-2026-46215

Use-after-free in DRM GEM change_handle

An unprivileged render-node race frees a GEM object under a live handle and chains to passwordless root. Found independently.

KVM heap OOB2026 · kernel.org

Heap out-of-bounds in KVM SEV-SNP

A malicious SEV-SNP guest walks a guest-sized PSC buffer off its end to read and corrupt the host kernel heap.

VM escape2026 · QEMU

Guest-to-host escape via QEMU CXL mailbox

Three CXL Type 3 mailbox bugs chain into a deterministic guest-to-host escape with a full ASLR bypass.

Runtime UAF2026 · #143228

A race condition in CPython’s perf_trampoline

A race in the profiler trampoline teardown leaves a freed arena reachable; fixed with arena refcounting.

ORM SQLi2025 · CVE-2025-64459

SQL injection in the Django ORM

Unsafe formatting of the Q object connector allows injection through Q(**user_input).

All writing →