CVE-2026-56412 — Incomplete fix bypass in libexpat, found autonomously by Vorthix

AUTONOMOUS · ADVERSARIAL · VERIFIABLE

Autonomous Security Research.
Built to Prove.

Vorthix is an autonomous AI security researcher — not a scanner. It reads your source code and binaries, forms attack hypotheses, exploits the candidates that hold, and proves each one with sanitizer-backed evidence. Built by researchers who have found vulnerabilities in libexpat, pymonocypher, FreeRDP, and critical open-source infrastructure.

Request AccessSee the Proof Engine

> Every finding ships with a deterministic reproducer.

C·C++·Rust·Go·Python·TypeScript·JavaScript·Java·Kotlin·Ruby·PHP·Swift·Assembly·Solidity·C·C++·Rust·Go·Python·TypeScript·JavaScript·Java·Kotlin·Ruby·PHP·Swift·Assembly·Solidity·

WHY MOST SECURITY TOOLING FAILS

A wall of warnings is not security. Proof is.

Scanners cry wolf

Pattern-matched warnings bury real bugs under noise. Engineers burn days triaging maybes that were never exploitable in the first place.

Coverage has blind spots

Pattern matching cannot reach logic flaws, incomplete fix bypasses, or cryptographic misuse. The bugs that become CVEs live exactly where signatures never walk.

Manual review cannot scale

Elite offensive talent takes weeks per codebase. Vorthix reasons through the same surface continuously, in parallel, without losing context.

THE LOOP

An autonomous researcher that thinks — not one that brute-forces.

01INGEST

Vorthix clones the repository, compiles with AddressSanitizer, UBSan, and coverage instrumentation. It builds a model of every reachable entry point, sink, and trust boundary — source or binary.

02HYPOTHESIZE

The agent reasons adversarially. It prioritizes parsers, decoders, deserializers, and auth paths. It reads patches as claims and finds the paths where the claim’s assumption breaks.

03PROVE

A candidate becomes a finding only when it crashes under sanitizer. Vorthix confirms determinism across repeated runs. No finding is reported until it is reproducible.

04REPORT

Minimized reproducer. Sanitizer trace. Root-cause path. Suggested patch. A regression test that fails before and passes after. The full disclosure package, written autonomously.

vorthix-agent · XOR-1 · session.log
18:43:40INFOITERATION 42/50
18:43:40INFOCalling XOR-1...
18:48:31INFOXOR-1 responded in 291.2s
18:48:31THINKReading patch PR #1246 as a claim...
18:48:31THINKAssumption: m_handlerCallDepth incremented before every handler
18:48:31PLANMapping all call sites of m_characterDataHandler...
18:55:09THINKGap found: doCdataSection() XML_TOK_DATA_CHARS — no beforeHandler()
19:01:52TOOLCompiling PoC with AddressSanitizer...
19:05:54RESULTheap-use-after-free confirmed at xmlparse.c:4622
19:05:54RESULTCVE-2026-56412 — PROVEN
>

ZERO FALSE POSITIVES

POC or it didn't happen.

Every finding comes with a working proof-of-concept. A sanitizer trace for memory corruption. The minimized input. The exact line that breaks. Verifiable, not speculative.

  • Sanitizer-confirmed crash
  • Minimized deterministic input
  • Exact root-cause line
poc_libexpat · AddressSanitizer
$ ./poc_libexpat
==================================================
==41337==ERROR: AddressSanitizer: heap-use-after-free
READ of size 4 at 0x60b000000a40 thread T0
    #0 doCdataSection xmlparse.c:4622
    #1 XML_ParseBuffer xmlparse.c:2103
    #2 main poc_libexpat.c:58
SUMMARY: AddressSanitizer: heap-use-after-free

RECENT FINDINGS

What Vorthix proved this month.

INCOMING

CVE ASSIGNED — PENDING DISCLOSURE

FreeRDP — CVE assigned, coordinated disclosure in progress

A vulnerability in FreeRDP has been assigned a CVE. Coordinated disclosure with maintainers is underway. Full technical writeup publishes when the patch ships.

freerdppending
-rw-r--r-- · July 2026REDACTED
INCOMING

CVE ASSIGNED — PENDING DISCLOSURE

Critical open-source target — coordinated disclosure in progress

A separate finding against critical open-source infrastructure has been assigned a CVE. Target undisclosed pending coordinated release.

undisclosedpending
-rw-r--r-- · July 2026REDACTED

THE DIFFERENTIATOR

Every finding is backed by evidence you can replay.

Source to binary

Full-stack analysis. Source code, compiled binaries, stripped firmware. If it runs, Vorthix can reason about it.

Incomplete fix detection

Reads patches as claims. Finds the code paths where the fix’s assumption breaks — the bugs a scanner never finds because it only checks what changed.

Zero false positives

A finding is not a finding until AddressSanitizer confirms it. Deterministic reproduction across repeated runs. Nothing speculative ships.

Machine speed, researcher depth

Iterates 50 hypothesis cycles in the time a manual researcher reads the file tree. Chains low-severity findings into critical attack paths.

WHO BUILT THIS

Researchers, not a startup.

Vorthix is built by security researchers and AI engineers who have found vulnerabilities in libexpat, pymonocypher, FreeRDP, and critical infrastructure software. The AI does the work. We validate the proof.

Internal agent codename: XOR-1 · 100% autonomous

4+

CVEs Published

0

False Positives Shipped

Growing

Targets Analyzed

1M+

Executions/sec Fuzzing

Point it at a target. Leave with proof.

Private access open to security teams and researchers.

Request AccessContact the Team