About Me
I'm Prabhav, an Offensive Security Engineer and independent vulnerability researcher. My focus is on software security, specifically hunting for high-severity bugs within critical open-source infrastructure. I systematically audit the foundational layers of modern tech stacks focusing on parsers, compilers, and network architectures to identify the bugs that lead to security vulnerabilities.
If you want to collaborate on research, talk about an interesting bug, or just say hi, feel free to reach out on LinkedIn!
Featured Research & Advisories
Vulnerabilities I have discovered and responsibly disclosed in open-source infrastructure.
CVE-2026-34979: Heap-based Buffer Overflow in CUPS Scheduler Leads to Denial of Service (DoS)
Medium 6.9An unauthenticated heap-based buffer overflow in cupsd allows for remote denial-of-service. The vulnerability stems from a size calculation discrepancy in URI attribute handling.
CVE-2026-33871: Netty's Uncapped HTTP/2 CONTINUATION Frames Leads to Denial of Service (DoS)
High 8.7Netty's HTTP/2 frame reader accepts unlimited CONTINUATION frames with no count limit — the only mitigation is fully bypassed by 0-byte frames, enabling CPU exhaustion with minimal attacker bandwidth.
CVE-2026-27784: Integer Overflow in nginx ngx_http_mp4_module causes Out of Bounds Read/Write
High 8.5An integer overflow in nginx's MP4 module on 32-bit systems silently bypasses bounds checks, exposing adjacent heap memory and enabling potential denial of service.
CVE-2026-29062: Nesting Depth Bypass in DataInput Parser Leads to Unsafe Deserialization in jackson-core
High 8.7The DataInput parser bypasses the maxNestingDepth constraint entirely, allowing an attacker to craft deeply nested JSON that exhausts the JVM stack and causes an immediate denial of service.
More detailed write-ups, analysis, and research notes on the blog.
View all posts & research →