C news and developer summaries

Dirty Frag is a critical local privilege escalation (LPE) vulnerability affecting major Linux distributions. It exploits weaknesses in the kernel's network sub-systems (specifically AF_ALG/XFRM and AF_RXRPC) to gain root access. Because the disclosure embargo was breached, no official emergency patches currently exist, making the system highly vulnerable.

The NetHack DevTeam has released NetHack 5.0.0, introducing major architectural updates including C99 standard compliance, improved cross-compiling support, and a transition to Lua-based processing for compilers. This release is incompatible with previous save files. Developers welcome bug reports and pull requests to further refine this new version.

This 16-byte x86 DOS assembly program, created for the Outline Demoparty, generates a Sierpinski fractal on screen while simultaneously outputting it as audio via the PC speaker. By manipulating VGA memory and using cellular automaton logic, the code produces complex mathematical patterns and gritty bytebeat sounds, demonstrating advanced sizecoding techniques and hardware-level interaction in real-mode DOS.

Researchers discovered a critical heap buffer overflow in NGINX's ngx_http_rewrite_module, enabling unauthenticated remote code execution. The vulnerability stems from a mismatch in buffer size calculation versus data copying when handling the is_args flag. Exploitation leverages heap feng shui to redirect memory pointers and trigger system commands, requiring updates to patched versions.

Branch mispredictions hinder CPU performance by forcing pipeline restarts. By replacing conditional branches with branchless alternatives—such as using conditional increment instructions—developers can maintain linear control flow. Although branchless code may involve redundant memory writes, the performance gains on modern architectures are significant when dealing with unpredictable, large datasets.

The Zig development log for 2026 highlights significant updates, including a reworked build system for faster performance, LLVM backend incremental compilation, and a redesigned type resolution system. Key additions include experimental evented I/O implementations, improved package management with local caching, and a strategic migration to native Windows APIs, alongside ongoing efforts to replace vendored libc with Zig-native implementations.

Snowboard Kids 2 has been 100% decompiled, converting its MIPS assembly into readable C code. This milestone enables easier modding, asset extraction, and a planned recompilation project. The developer utilized community support and AI models like Claude and Codex to complete this two-year effort, aiming to eventually unite Snowboard Kids titles.

Presented at the 2026 Outline Demoparty, this 16-byte x86 assembly routine performs algorithmic art in DOS. By XORing video memory to generate a Sierpinski fractal, the code simultaneously renders visual patterns and produces audio via the PC speaker. The project demonstrates extreme memory efficiency and the interplay between mathematical sequences, display hardware, and low-level system design.

This project explores hosting a website on an 8-bit AVR64DD32 microcontroller. The author utilizes SLIP over a serial connection for network transport and implements a custom, minimal TCP stack. Connectivity is achieved using a WireGuard tunnel paired with a reverse proxy, allowing the low-power device to serve web content publicly despite its memory and processing limitations.

The author introduces sp.h, a portable, single-header C99 standard library designed for direct system interaction. By avoiding traditional libc dependencies, utilizing explicit allocators, and replacing null-terminated strings with length-prefixed slices, sp.h offers a modern, ergonomic, and high-performance alternative for systems programming, prioritizing simplicity and cross-platform compatibility without unnecessary heap abstraction.

WSL9x is a Windows 9x Subsystem for Linux that enables running a modern Linux kernel cooperatively alongside the Windows 9x kernel. It uses a custom VxD driver, a patched Linux kernel, and a DOS-based wsl.com client to allow simultaneous execution of applications from both operating systems without requiring a reboot.

The Zig development log for 2026 highlights significant updates, including a more efficient new ELF linker with fast incremental compilation, a restructured build system for improved performance, and revamped type resolution. Additionally, the project is replacing C-based libc implementations with direct Zig wrappers, adopting native Windows APIs for efficiency, and introducing enhanced package management workflows.

lib0xc is a library of C standard library-adjacent APIs designed to improve memory safety and code reliability. It uses macros, compiler extensions like clang's -fbounds-safety, and fixed-size data structures to catch errors at compile-time, providing a safer, more robust alternative to standard C functions while remaining source-compatible with existing projects.

Nintendo 64 typically struggled with additive blending because its RDP lacks color clamping, causing wrap-around artifacts. By rendering effects into a 32-bit buffer at reduced intensity and using the RSP to convert and clamp these to a 16-bit display buffer, developers can achieve high-quality additive blending effects efficiently.

CrossPoint Reader is an open-source firmware for the Xteink X4 e-paper reader. Built using PlatformIO for the ESP32-C3, it provides a customizable EPUB reading experience with features like KOReader Sync, font customization, and Wi-Fi support. The project optimizes performance for the device's constrained RAM by caching data on the SD card.

This project implements a custom port of Windows CE 2.11 for the Nintendo 64. By creating a custom HAL, display driver, and SD file system, the system runs on actual hardware using an EverDrive-64 X7. It enables a functional Win9x-style desktop, taskbar, file browser, and support for running third-party MIPS executables directly from an SD card.

The author is developing a custom, imperative, low-level programming language called pslang to address modding limitations in their game engine. Designed for performance and C-interop, the language uses indentation-based scoping and static, nominal typing. Though an ambitious long-term project, it serves currently as a creative side pursuit focused on simplicity and build-level experimentation.

A critical Linux kernel vulnerability, CVE-2026-46333, allows unprivileged users to read root-owned files by exploiting a race condition in pidfd_getfd. Vulnerable programs like ssh-keysign and chage enable root file exfiltration via FD-theft. The issue persists across major Linux distributions, highlighting a long-standing flaw in process exit synchronization.

Apple has integrated quantum-secure ML-KEM and ML-DSA algorithms into its corecrypto library to combat future quantum threats. To ensure implementation correctness, Apple developed rigorous formal verification methods, using tools like Isabelle, SAW, and Cryptol to mathematically prove that its optimized C and ARM64 assembly code faithfully matches FIPS specifications.

MacSurf is a native web browser for Classic Mac OS 9 that enables modern HTTPS and ES5 JavaScript on vintage PowerPC hardware. By implementing TLS 1.3 and a native rendering stack, it allows G3/G4 Macs to access modern websites without proxies, supporting features like CSS Grid, animations, and transparency on hardware from 1999.