Summary In this post, I detail my discovery of a critical race condition and Use-After-Free (UAF) vulnerability in CPython’s perf_trampoline implementation that causes immediate Segmentation Faults in Python 3.12 and SystemErrors in 3.13+. Through stress testing and GDB analysis, I determined that the crash occurs when sys.deactivate_stack_trampoline() is called concurrently with active bytecode execution. The…

Summary I discovered a critical SQL injection vulnerability in the Django ORM’s handling of Q objects (CVE-2025-64459). The internal WhereNode.as_sql method uses unsafe string formatting (%s) to inject the query connector (e.g., ‘AND’, ‘OR’) into the raw SQL query. An attacker can control this connector value via the _connector key when a Q object is…