portfolio.vm — ttyS0

booting linux

type help to look around.

this is a real linux terminal — best on a desktop with a keyboard. mobile works but typing help on a phone is a tax.

Luke Francis

Security researcher · 17 · New Braunfels, Texas

About

I find bugs in browsers, infrastructure, and codecs. Nine published CVEs across Chrome, WebKit, etcd, Traefik, and Envoy. The work spans spec-compliance auditing, IPC trust-boundary analysis, and code review of widely deployed infrastructure.

Currently: WebKit exploit chain development, codec vulnerability research (libvpx, libaom), and college applications (MIT, Stanford, CMU).

Full research index · RSS

Published CVEs

CVE-2026-3061 — Chrome H.264 PPS parser missing range validation. CVSS 9.1, zero-interaction via <video>. $10,000 Google VRP.
CVE-2026-5902 — Chrome Android video encoder TOCTOU in shared memory. High severity. Patched within 24 hours.
CVE-2026-5907 — Chrome H.264 range validation overflow. Second finding from extending the spec-compliance audit.
CVE-2026-28962 — Apple WebKit WebContent sandbox escape. Unguarded IPC handler returned attacker-controlled file contents to compromised renderers, enabling arbitrary host file reads. Credited in iOS/iPadOS 26.5 and macOS Tahoe 26.5.
CVE-2026-33413 — etcd authorization bypass across multiple APIs (MemberList, Alarm, Lease, compaction). CVSS 8.8.
CVE-2026-33343 — etcd nested transactions bypass RBAC entirely. CVSS 6.5.
CVE-2026-31360 — Traefik SPIFFE trust-domain bypass. Cross-trust-domain service impersonation. CVSS 8.2.
CVE-2026-31361 — Traefik ACME private key exposure via logs. Five-year regression of a partial v1.7.20 fix.
CVE-2026-6994 — Envoy query-parameter injection via header_mutation. Auth bypass and SQLi/XSS upstream. CVSS 6.3.

Other research

WebKit / Apple Security Bounty — active submissions accepted. Disclosure pending.
libvpx / libaom — codec library findings accepted. Disclosure pending.

Writeups

48 Hours on a SCADA Honeypot

WannaCry samples still propagating in 2026, Outlaw/mdrfckr botnet credential stuffing from Romania, Solana validator credential harvesting, automated Modbus/TCP scanning. Two days of captures from a SCADA-themed honeypot on Hetzner.

Wonder Ad Blocker — Reverse Engineering a Malicious Chrome Extension

A Chrome extension marketed as an ad blocker, with 500,000+ users, was operating as a distributed ad-intelligence scraping platform — injecting tracking scripts, harvesting browsing data, phoning home to command infrastructure.

Contact

Twitter / X: @lukefr09
GitHub: github.com/lukefr09
Email: luke@linefeed.sh

This page boots a real Linux kernel in your browser via v86. The interactive terminal is the canonical experience — this static layer exists for crawlers, screen readers, and visitors without JavaScript, as well as people who don't want to go through the hassle of the terminal.