luke francis
portfolio.vm — ttyS0
booting linux

type help to look around.

this is a real linux terminal — best on a desktop with a keyboard. mobile works but typing help on a phone is a tax.

Luke Francis

Security researcher · 17 · New Braunfels, Texas

About

I find bugs in browsers, infrastructure, and codecs. Eight published CVEs across Chrome, etcd, Traefik, and Envoy. The work spans spec-compliance auditing, IPC trust-boundary analysis, and code review of widely deployed infrastructure.

Currently: WebKit exploit chain development, codec vulnerability research (libvpx, libaom), and college applications (MIT, Stanford, CMU).

Published CVEs

  1. CVE-2026-3061 — Chrome H.264 PPS parser missing range validation. A spec-mandated constraint was not enforced, allowing out-of-range values to reach kernel GPU drivers through the hardware acceleration path. CVSS 9.1, zero-interaction via <video> tag. $10,000 Google VRP payout, Forbes coverage.
  2. CVE-2026-5902 — Chrome Android video encoder TOCTOU in shared memory. A compromised renderer can feed attacker-controlled data to codec parsers in the GPU process. High severity. Patched within 24 hours.
  3. CVE-2026-5907 — Chrome H.264 range validation overflow. A second finding in the same codec surface as CVE-2026-3061, found by extending the spec-compliance audit to additional parameter set fields. High severity.
  4. CVE-2026-33413 — etcd authorization bypass across multiple APIs. Unauthorized callers reach MemberList (cluster topology), Alarm, Lease APIs, and compaction. CVSS 8.8.
  5. CVE-2026-33343 — etcd nested transactions bypass RBAC entirely. An authenticated user with restricted key-range permissions can use nested transactions to access the entire data store. CVSS 6.5. Credited in the SIG-etcd security release.
  6. CVE-2026-31360 — Traefik SPIFFE trust-domain bypass. verifyServerCertMatchesURI overwrites the expected SPIFFE URI's host with the certificate's actual host before comparison, defeating trust-domain validation entirely. Cross-trust-domain service impersonation in zero-trust architectures using SPIRE or Consul Connect. CVSS 8.2 High.
  7. CVE-2026-31361 — Traefik ACME private key exposure via logs. GetPrivateKey() logs the entire DER-encoded key as decimal bytes when parsing fails. Five-year regression of a partial v1.7.20 fix that was never ported to v2.x or v3.x. Medium.
  8. CVE-2026-6994 — Envoy query-parameter injection via the header_mutation filter. query_parameter_mutations inserts header values into query strings without URL encoding, enabling auth bypass and SQLi/XSS on upstream services. CVSS 6.3. Affects v1.33.0+.

Other research

Writeups

48 Hours on a SCADA Honeypot

Deployed a SCADA-themed honeypot on Hetzner mimicking industrial control system interfaces. Two days of captures: live WannaCry samples (still propagating in 2026), Outlaw/mdrfckr botnet credential stuffing from Romanian IPs, Solana validator credential harvesting, and automated Modbus/TCP scanning. Full writeup on X.

Wonder Ad Blocker — Reverse Engineering a Malicious Chrome Extension

A Chrome extension marketed as an ad blocker, with 500,000+ users, was operating as a distributed ad-intelligence scraping platform — injecting tracking scripts, harvesting browsing data, and phoning home to command infrastructure. Full writeup on X.

Contact

This page boots a real Linux kernel in your browser via v86. The interactive terminal is the canonical experience — this static layer exists for crawlers, screen readers, and visitors without JavaScript.