Hacker News new | ask | show | jobs
by three_burgers 26 days ago
CVE-2026-28952 is about an integer overflow due to lack of input validation. I wonder what makes such vulnerability difficult to discover by traditional SAST tools?
1 comments
firesteelrain 26 days ago
Fuzzing, dynamic analysis or DAST might have found it too.

Assuming Apple has deployed all of these and have invested in the labor/training on how to properly use them.

link
tptacek 26 days ago
Then why didn't they?
link
kimixa 26 days ago
I think the real point is they didn't - until it became a "marketing" thing for another company who did it for them.

A lot of these issues would be highlighted by "legacy" (pre-AI) analysis tools. The issue is that they weren't being run.

link
tptacek 26 days ago
Why not? We're talking about vulnerabilities with real market value here. If it was just a tool run, why weren't the tools run?

Isn't the simpler explanation that they weren't just a tool run?

link
firesteelrain 26 days ago
The tools are expensive. One of the major players in the market have really expensive licensing fees. Then the developers all need to be trained on how to use the tools and understand the results. It’s not something they teach effectively in schools.

Software engineering is still kind of new overall.

link
akerl_ 26 days ago
Apple has a massive information security organization that has pretty intense resources at their disposal.

It seems borderline impossible that there's a tool that they feel would be beneficial but that they're classed out of using by license costs or by staff proficiency.

link
tptacek 26 days ago
Which tool specifically are you thinking of that might have found this but wasn't run because of it's very high licensing fees? I work in this field, I'll be familiar with it.
link
Someone 26 days ago
Could be any (combination) of

- looking at components in isolation, not realizing that a component could receive untrusted input

- looking at the entire system, but not in a configuration that made the CVE possible

- having to be extremely lucky to find the issue through fuzzing, and Apple not hitting that jackpot

- having found the issue in testing, but incompletely/incorrectly fixing it

- mostly focusing testing on other components because this one’s code didn’t change and hadn’t seen issues in years

I don’t think we have enough info to know which (or something entirely different) it is.

link
pbgcp2026 26 days ago
... because it was vibe coded by someone in ... other country. Cut the corners, deliver fast! Consume tokens!
link