From 45 items, 17 important content pieces were selected
- Bun Rewritten from Zig to Rust, 1M+ Lines Merged āļø 9.0/10
- Anthropic Partners with SpaceX for Colossus Compute āļø 9.0/10
- NGINX 18-Year-Old RCE Vulnerability CVE-2026-42945 āļø 9.0/10
- DeepSeek Session Isolation Vulnerability: Unclosed ā<thinkā Leaks Conversations āļø 9.0/10
- vLLM v0.21.0 Released with Breaking Changes and New Features āļø 8.0/10
- Removing Modem and GPS from 2024 RAV4 Hybrid āļø 8.0/10
- First public macOS kernel exploit targets Apple M5 āļø 8.0/10
- RTX 5090 eGPU with M4 MacBook Air: Gaming and LLM Breakthrough āļø 8.0/10
- Nginx Exploit Targets Rewrite Directives āļø 8.0/10
- arXiv bans hallucinated references for 1 year āļø 8.0/10
- MIT President on Funding and Talent Pipeline Challenges āļø 8.0/10
- AI reliance may degrade developer skills āļø 8.0/10
- Atomic buffered writes discussed at LSFMM+BPF 2026 āļø 8.0/10
- COW context proposed to replace anonymous reverse mapping āļø 8.0/10
- Comprehensive Study: FP8 Remains Best for KV-Cache Quantization āļø 8.0/10
- US Approves H200 Chip Sales to Chinese Tech Giants āļø 8.0/10
- JD.com Launches AI Hardware Store, Restocks Sanctioned NVIDIA GPUs āļø 8.0/10
Bun Rewritten from Zig to Rust, 1M+ Lines Merged āļø 9.0/10
Bunās codebase has been completely rewritten from Zig to Rust, with over 1 million lines of Rust code now merged into the main branch. The rewrite was accomplished in approximately one week using a detailed porting guide mapping Zig idioms to Rust. This groundbreaking rewrite transforms Bunās architecture under the hood, potentially improving performance and memory safety while leveraging Rustās ecosystem. It also demonstrates a viable methodology for large-scale, LLM-assisted codebase translation, with implications for software complexity management. The Rust codebase has over 10,000 unsafe blocks across 736 files, indicating a mechanical translation that preserved many Zig-specific patterns. The total code size rivals the Rust compiler itself, with nearly 1M lines of Rust code compared to about 700K lines of the original Zig.
hackernews Ā· Chaoses Ā· May 14, 08:15 Ā· Discussion
Background: Bun is a fast, all-in-one JavaScript runtime and toolkit built originally in Zig, known for its speed and compatibility with Node.js. Zig is a system programming language designed as a modern alternative to C, while Rust is a memory-safe systems language with a strong ecosystem. The rewrite was guided by a detailed porting document that mapped Zig constructs to Rust, using internal smart pointer types that already had Rust equivalents.
References
Discussion: The discussion reveals a mix of awe and technical curiosity. Some commenters noted the impressive preparationāa detailed porting guideāand questioned why a translator wasnāt automated. Others pointed out the high number of unsafe blocks and suggested that Bunās complexity is becoming a test case for software engineering in the LLM era.
Tags: #Bun, #Rust, #Zig, #Software Engineering, #Rewrite
Anthropic Partners with SpaceX for Colossus Compute āļø 9.0/10
Anthropic announced a partnership with SpaceX to access the entire Colossus 1 data center, gaining over 300 MW of new compute capacity and more than 220,000 NVIDIA GPUs, effective immediately. This massive infrastructure scaling significantly increases compute resources for Claude, doubling rate limits for Claude Code and removing peak restrictions for Pro/Max users, directly benefiting developers and enterprises relying on Anthropicās AI. The partnership includes over 220,000 NVIDIA GPUs and 300 MW of additional capacity from SpaceXās Colossus 1 data center; Claude Codeās 5-hour rate limit is doubled and peak restrictions for Pro/Max users are removed, while Claude Opus API rate limits have also been significantly increased.
telegram Ā· zaihuapd Ā· May 14, 00:57
Background: Colossus 1 is a supercomputer built by xAI (Elon Muskās AI company) in Memphis, Tennessee, originally for training AI models and supporting projects like X and SpaceX. It houses a massive cluster of NVIDIA GPUs and has been expanded to over 300 MW capacity. Anthropic, the developer of the Claude AI assistant, now rents all of its computing power to meet surging demand for its models.
References
Tags: #AI, #Anthropic, #SpaceX, #compute infrastructure, #Claude
NGINX 18-Year-Old RCE Vulnerability CVE-2026-42945 āļø 9.0/10
On May 13, 2026, depthfirst and F5 disclosed CVE-2026-42945, a heap buffer overflow in NGINXās rewrite module that allows unauthenticated remote code execution. The vulnerability has been present in NGINX code since 2008, affecting versions 0.6.27 to 1.30.0, and patches have been released. This vulnerability affects billions of servers globally, including NGINX Open Source, NGINX Plus, and many enterprise products, making it critical for infrastructure security. Immediate patching is strongly recommended to prevent potential widespread attacks. The vulnerability is a heap buffer overflow caused by inconsistent state in the two-pass execution engine when rewrite directives contain question marks, leading to memory corruption. Exploitation requires a specific rewrite configuration pattern, and successful attacks can achieve code execution in the NGINX worker process.
telegram Ā· zaihuapd Ā· May 14, 02:41
Background: NGINX is a widely used web server and reverse proxy, especially in cloud-native environments. Its rewrite module processes URI rewriting via a two-pass execution: first calculating buffer length, then writing the result. A flag inconsistency causes the second pass to write more data than allocated, causing overflow.
References
Tags: #nginx, #vulnerability, #rce, #CVE-2026-42945, #security
DeepSeek Session Isolation Vulnerability: Unclosed ā<thinkā Leaks Conversations āļø 9.0/10
A session isolation vulnerability in DeepSeekās dialogue system has been disclosed, where sending an unclosed ā<thinkā string in a new empty conversation causes the model to return fragments of other usersā conversation histories, potentially including sensitive information such as code, keys, and private data. The vulnerability was reported responsibly on May 11, 2026, by the researcher cancat2024. This vulnerability poses a severe privacy risk as it allows unauthorized access to other usersā conversation data, including potentially confidential or proprietary information. Given the widespread use of DeepSeekās API and web interface, this could lead to widespread data breaches if exploited. The vulnerability specifically triggers when the user sends an unclosed ā<thinkā string without a closing tag, causing the model to incorrectly output fragments from other sessions. The researcher noted that the issue also affects third-party deployments, indicating it may be inherent to the modelās architecture rather than a simple web server bug.
telegram Ā· zaihuapd Ā· May 14, 13:15
Background: DeepSeekās dialogue system uses a special ā<thinkā token to indicate reasoning steps, often used in chain-of-thought prompting. The ā<thinkā token is intended to be paired with a closing ā<ļ½endāofāthinkingļ½> to mark internal reasoning. In this vulnerability, leaving the ā<thinkā tag unclosed confuses the modelās session handling, causing it to retrieve data from other usersā conversations instead of isolating each session.
References
Discussion: In the GitHub issue, community members noted that third-party deployments also exhibit the vulnerability, suggesting it is a fundamental model issue rather than a simple API bug. Some speculated that the model might be āhallucinatingā the data, while others confirmed that actual user data was being leaked, raising serious privacy concerns.
Tags: #security, #vulnerability, #deepseek, #AI safety, #data leakage
vLLM v0.21.0 Released with Breaking Changes and New Features āļø 8.0/10
vLLM v0.21.0 introduces breaking build changes including deprecation of transformers v4 and a C++20 build requirement, along with new features such as KV offloading with hybrid memory allocator, speculative decoding with thinking budgets, and a TOKENSPEED_MLA attention backend for Blackwell GPUs. This release significantly impacts the LLM inference ecosystem by enforcing migration to transformers v5 and requiring updated compilers, while also improving memory efficiency and decoding performance, especially for reasoning models on NVIDIA Blackwell GPUs. The release includes 367 commits from 202 contributors, with support for new model architectures like MiMo-V2.5 and Cohere Eagle, as well as performance optimizations like FlashInfer top-p sampler enabled by default and a 51% faster AllPool.forward.
github Ā· khluu Ā· May 14, 23:15
Background: vLLM is an open-source library for fast LLM inference and serving. KV cache offloading moves key-value tensors to CPU memory to reduce GPU memory usage, and the hybrid memory allocator manages both GPU and CPU memory pools. Speculative decoding uses a draft model to predict multiple tokens that are then verified, speeding up inference. The TOKENSPEED_MLA backend is a specialized attention implementation for MLA (Multi-Latent Attention) used in models like DeepSeek, optimized for Blackwell GPUs.
References
Tags: #vllm, #LLM inference, #breaking change, #GPU, #transformers
Removing Modem and GPS from 2024 RAV4 Hybrid āļø 8.0/10
A detailed guide was published on physically removing the cellular modem and GPS unit from a 2024 Toyota RAV4 hybrid to stop telemetry data collection by the vehicle. This guide addresses growing privacy concerns over vehicle telemetry data collection, which can be shared with insurance companies or other third parties, and empowers owners to take control of their data. Even after modem removal, connecting a phone via Bluetooth can still allow telemetry transmission through the phoneās internet, but using a wired USB connection avoids this. Removing the modem may disable safety features like Toyotaās Safety Connect roadside assistance.
hackernews Ā· arkadiyt Ā· May 14, 17:08 Ā· Discussion
Background: Modern vehicles are equipped with a telematic control unit (TCU) that collects data from internal systems and communicates with cloud services. Toyotaās Safety Connect is a subscription-based telematics system providing services like remote diagnostics and emergency assistance. Privacy advocates warn that such data can be shared with insurers without explicit consent.
Discussion: Commenters noted that the Ford Maverick has a single fuse for the telematics unit that can be removed without errors, offering a simpler alternative. Others shared personal issues with Toyotaās GPS compass heading errors and lack of manufacturer support, motivating hardware removal.
Tags: #privacy, #vehicle telemetry, #hardware mod, #Toyota, #data collection
First public macOS kernel exploit targets Apple M5 āļø 8.0/10
The security research team Calif disclosed the first public macOS kernel memory corruption exploit specifically targeting Appleās M5 chip, demonstrating a critical vulnerability in the kernel. This marks a significant milestone in Apple security research as it exposes a previously unknown vulnerability in the latest M5 architecture, potentially affecting millions of devices and challenging claims of M5ās security enhancements. The exploit involves kernel memory corruption, and the research report is 55 pages long. The vulnerabilityās survival despite MTE (Memory Tagging Extension) is a matter of curiosity, as noted in community comments.
hackernews Ā· quadrige Ā· May 14, 18:25 Ā· Discussion
Background: Appleās M5 chip is part of the Apple Silicon family, designed with advanced security features including MTE (Memory Tagging Extension) and Neural Accelerators. Kernel memory corruption exploits are among the most severe vulnerabilities, allowing attackers to gain full system control. This is the first public exploit of its kind for M5.
References
Discussion: Community comments express a mix of excitement and skepticism. Some users note the lack of technical details, while others discuss the potential bounty value ($100k-$1.5M). There is also sarcastic speculation about fabricated vulnerabilities, and one user regrets buying M5 due to MIE (Mythos Integrity Engine?).
Tags: #security, #macOS, #kernel, #exploit, #Apple M5
RTX 5090 eGPU with M4 MacBook Air: Gaming and LLM Breakthrough āļø 8.0/10
A developer successfully demonstrated using an RTX 5090 as an external GPU (eGPU) connected to an M4 MacBook Air, enabling playable gaming and significantly faster LLM inference on macOS. This is significant because Apple Silicon Macs officially do not support eGPUs, limiting their graphics and AI capabilities. The hack opens up new possibilities for macOS gaming and local AI workloads, potentially influencing future Apple decisions. The setup likely uses a virtual machine with GPU passthrough or a custom driver to bypass macOS limitations, as Apple only supports eGPUs on Intel Macs with AMD GPUs. The demonstration included both game benchmarks and LLM inference improvements, with notable gains in prompt processing speed.
hackernews Ā· allenleee Ā· May 14, 15:47 Ā· Discussion
Background: An external GPU (eGPU) connects to a computer via Thunderbolt or USB-C to provide additional graphics power. However, Apple Silicon Macsāunlike Intel-based Macsāhave never officially supported eGPUs for graphics acceleration, limiting macOS gaming and AI performance. This hack demonstrates a workaround using an RTX 5090, one of NVIDIAās most powerful consumer GPUs.
References
Discussion: Commenters expressed excitement and surprise, with many noting the impressive engineering feat. Some discussed the long-standing request for VM GPU passthrough on Apple Silicon, while others highlighted the practical benefits for LLM inference compared to gaming. A few pointed out that Appleās official stance remains unsupportive, but the hack represents a significant step forward.
Tags: #eGPU, #Apple Silicon, #gaming, #LLM, #hack
Nginx Exploit Targets Rewrite Directives āļø 8.0/10
A new Nginx exploit named Nginx-Rift was disclosed, targeting servers with specific rewrite directives using unnamed capture groups. F5 has released patches in versions 1.31.0 and 1.30.1 to address this vulnerability. This vulnerability is significant because Nginx is one of the most widely used web servers globally, and successful exploitation could lead to remote code execution under specific preconditions. The high community engagement (267 upvotes, 59 comments) underscores its technical importance and real-world impact. The exploit precondition includes a ārewriteā directive with a question mark in the replacement string, followed by a āsetā directive referencing a regex capture group. The published proof-of-concept assumes ASLR is disabled, but the disclosure claims a reliable ASLR bypass exists. F5 recommends using named captures instead of unnamed ones as a mitigation.
hackernews Ā· hetsaraiya Ā· May 14, 17:17 Ā· Discussion
Background: Nginx uses rewrite directives to manipulate request URIs based on regular expressions for URL redirection and access control. ASLR (Address Space Layout Randomization) is a defense-in-depth technique that randomizes memory addresses to make exploitation harder; bypassing it allows attackers to reliably hijack execution flow. This exploit combines a memory corruption vulnerability in Nginxās rewrite processing with a technique to bypass ASLR, significantly increasing its severity.
References
Discussion: Commenters expressed concern that although the published exploit requires ASLR to be disabled, the disclosure claims ASLR bypass is possible, making the vulnerability more severe than initially perceived. Some highlighted the specific preconditions and noted that F5ās mitigation (using named captures) is effective. Others debated whether alternative web servers written in memory-safe languages like Caddy (Go) or Jetty (Java) would be inherently more secure.
Tags: #security, #nginx, #exploit, #vulnerability, #aslr
arXiv bans hallucinated references for 1 year āļø 8.0/10
arXiv announced a policy that authors whose papers contain hallucinated references will face a 1-year ban from submitting to arXiv, after which they must have papers accepted at a reputable peer-reviewed venue before resubmitting. This policy aims to curb the growing problem of AI-generated āslopā in academic literature, preserving the integrity of scientific publishing. It sets a precedent for other preprint repositories and journals to follow. The ban is reportedly not yet live but planned; the policy details are not clearly listed on arXivās policies page yet. The ban applies regardless of intent, raising concerns about accidental inclusion of hallucinated references.
hackernews Ā· gjuggler Ā· May 14, 20:39 Ā· Discussion
Background: Hallucinated references are fake or non-existent citations generated by AI language models, which have been found in numerous academic papers, including at NeurIPS. This phenomenon is part of the broader issue of AI hallucination, where AI produces factually incorrect outputs. A Nature analysis suggests tens of thousands of 2025 publications might contain invalid references generated by AI.
References
Discussion: The community comments show strong support for the policy, with users emphasizing that arXiv is a privilege, not a right. Some users call for careful vetting to avoid punishing accidental mistakes, while others share anecdotes of colleagues being caught with AI slop and receiving revision requests.
Tags: #arXiv, #academic integrity, #AI hallucination, #scientific publishing
MIT President on Funding and Talent Pipeline Challenges āļø 8.0/10
MIT President Sally Kornbluth released a video message addressing the challenges in research funding and the talent pipeline, sparking a wide-ranging discussion on the state of US academia and science policy. The discussion reflects deep systemic issues in US research funding, immigration policies affecting talent flow, and growing disillusionment with academic careers, which could undermine long-term US competitiveness in science and technology. The message comes amid declining grant success rates and increasing administrative burdens, with community comments highlighting that unfunded students are less likely to accept admissions, and that many PhDs are leaving academia for industry.
hackernews Ā· dmayo Ā· May 14, 14:51 Ā· Discussion
Background: The US research ecosystem relies heavily on federal funding and a steady influx of talent from US and international students. Concerns about the talent pipeline often focus on funding shortfalls, visa restrictions, and the attractiveness of academic careers compared to industry. The discussion around President Kornbluthās message touches on these issues, reflecting broader anxieties about the future of American science.
Discussion: Community comments are deeply divided: many bemoan poor pay and job prospects in academia, with one commenter noting that 80% of recent PhDs they know want to leave. Others highlight executive interference and the high cost of degrees, while some from abroad see PhDs moving to industry as normal and not a crisis.
Tags: #academia, #research funding, #talent pipeline, #US science policy
AI reliance may degrade developer skills āļø 8.0/10
A developer shares a personal reflection on how over-reliance on AI coding assistants is eroding their critical thinking and programming abilities, sparking a debate in the software engineering community. This debate highlights a growing concern that while AI boosts productivity, it may also contribute to skill atrophy, especially among junior developers, and challenges the industry to find a balanced approach to AI-assisted coding. The post received high engagement (388 upvotes, 236 comments), with commenters sharing contrasting experiencesāsome feel a persistent urge to verify AI output, while others find AI intellectually stimulating when used socraticly. No specific technical details were provided in the original post.
hackernews Ā· Eighth Ā· May 14, 18:19 Ā· Discussion
Background: AI coding assistants, such as GitHub Copilot and Claude, generate code based on natural language prompts, enabling āvibe codingā where developers quickly produce working apps. However, concerns have emerged that this may impede deep learning and problem-solving skills, particularly for novices. The term āvibe codingā refers to relying on AI to generate code with little understanding of the underlying logic.
Discussion: Comments reveal a split sentiment: some developers feel uneasy about blind trust and always verify AI output, while others report that Socratic interaction with AI enhances their learning. A junior developer noted that AI slowed down their onboarding due to over-reliance on generated code.
Tags: #AI, #software engineering, #programming productivity, #cognitive skills, #developer experience
Atomic buffered writes discussed at LSFMM+BPF 2026 āļø 8.0/10
At the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit (LSFMM+BPF), developers discussed atomic-buffered writes for the Linux kernel. PostgreSQLās need for 8KB atomic writes and a new writethrough-based approach were presented. This feature could dramatically improve performance for databases like PostgreSQL by eliminating the need for full-page writes in the write-ahead log (WAL), reducing write amplification and increasing transaction throughput. It also advances Linux kernel filesystem capabilities for modern NVMe storage. PostgreSQL currently uses full-page writes to the WAL to prevent torn 8KB pages, leading to a 14x increase in WAL size and lower transaction rates. The proposed writethrough approach writes data directly to disk instead of relying on page cache writeback, enabling atomic guarantees for buffered I/O.
rss Ā· LWN.net Ā· May 14, 14:54
Background: Atomic writes ensure that a write operation is either fully committed to disk or not at all, preventing torn writes. For buffered I/O, the Linux kernel typically uses a page cache with delayed writeback, which is incompatible with atomic guarantees. A writethrough cache strategy writes data immediately to the underlying storage, bypassing the cacheās delayed writeback.
References
Tags: #Linux kernel, #filesystem, #storage, #database, #atomic writes
COW context proposed to replace anonymous reverse mapping āļø 8.0/10
Lorenzo Stoakes proposed a āCOW contextā replacement for the kernelās anonymous reverse mapping at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, aiming to reduce complexity and improve performance. This proposal addresses long-standing performance issues and code complexity in a core kernel subsystem, potentially improving scalability and maintainability for all Linux systems. The COW context tracks anonymous mappings at the mm_struct (per-process) level instead of the per-VMA level, reducing the number of objects and lock contention during fork operations.
rss Ā· LWN.net Ā· May 14, 13:14
Background: Reverse mapping finds page-table entries that refer to a given physical page, which is needed for memory management. Anonymous pages currently use a complex per-VMA mechanism that suffers from high lock contention and memory overhead. Stoakesās COW context aims to simplify this by using a per-mm_struct structure that can outlive the process.
Tags: #Linux kernel, #memory management, #reverse mapping, #COW, #performance
Comprehensive Study: FP8 Remains Best for KV-Cache Quantization āļø 8.0/10
vLLM published a comprehensive benchmark study of TurboQuant KV-cache quantization variants, concluding that FP8 remains the best default, offering 2x capacity with negligible accuracy loss. TurboQuant 4bit-nc is the most practical variant but comes with trade-offs in accuracy and performance. This study provides clear, practical guidance for practitioners choosing KV-cache quantization methods, affecting deployment decisions for LLM inference in memory-constrained environments. It highlights that while high compression ratios are attractive, they often come at significant accuracy and latency costs. TurboQuant k8v4 offers 2.4x savings vs FP8ās 2x, but hurts throughput and latency. TurboQuant 3bit-nc and k3v4-nc show meaningful accuracy drops on reasoning tasks, while 4bit-nc is tolerable for memory-constrained edge deployments.
reddit Ā· r/LocalLLaMA Ā· MajorZesty Ā· May 14, 20:59 Ā· Discussion
Background: KV-cache quantization reduces memory consumption of the key-value cache during LLM inference, enabling longer context lengths. FP8 is an 8-bit floating-point format commonly used for quantization. TurboQuant is Googleās advanced KV-cache compression algorithm, achieving up to 6x reduction through techniques like non-uniform quantization and weight sharing.
References
Discussion: Community sentiment is mixed: some users criticize the lack of comparison with Q4 quantization, while others find 4bit-nc useful for memory-constrained scenarios. One user reports success with TurboQuant 2-3 on Gemma 4 with long context, while another confirms that FP8 numbers are visibly worse than unquantized.
Tags: #KV-cache quantization, #TurboQuant, #LLM inference, #FP8, #performance benchmarks
US Approves H200 Chip Sales to Chinese Tech Giants āļø 8.0/10
The US Department of Commerce has approved sales of NVIDIAās H200 AI chips to about 10 Chinese companies, including Alibaba, Tencent, and ByteDance, but no deliveries have been completed yet due to cautious Chinese stance. This marks a partial easing of US-China chip export controls, potentially allowing Chinese AI firms to access advanced hardware for AI workloads, while highlighting the ongoing trade tensions and Chinaās push for domestic alternatives. Each customer can purchase up to 75,000 H200 chips, and distributors like Lenovo and Foxconn have also received permits. The H200 is one generation behind NVIDIAās Blackwell processor, which remains banned for China.
telegram Ā· zaihuapd Ā· May 14, 08:57
Background: The H200 is a high-end GPU designed for AI and HPC workloads, featuring enhanced memory and bandwidth compared to predecessors. NVIDIA dominates the AI chip market, but US restrictions have limited sales of cutting-edge chips to China since 2022. The Chinese government has encouraged development of domestic AI chips to reduce dependency on foreign technology.
References
Tags: #AI chips, #geopolitics, #NVIDIA, #US-China trade, #H200
JD.com Launches AI Hardware Store, Restocks Sanctioned NVIDIA GPUs āļø 8.0/10
JD.com has launched an āAI Hardware JD Self-Operated Storeā and is now offering previously sanctioned NVIDIA GPUs including the RTX 5090 32G Turbo Edition, RTX PRO 6000 Blackwell Server Edition, and H100 for purchase in China. This development signals a potential easing of export controls or alternative supply channels for high-end AI GPUs in China, directly impacting AI compute accessibility and the broader tech industry amid ongoing geopolitical tensions. The RTX 5090 Turbo Edition is confirmed to be a āno-castrationā global unified specification model, while the H100 was previously suspended from export to China due to sanctions. The store also includes the RTX PRO 6000 for professional rendering and data centers.
telegram Ā· zaihuapd Ā· May 14, 15:15
Background: NVIDIAās Blackwell architecture, used in the RTX PRO 6000, is a GPU microarchitecture designed for AI and accelerated computing. The H100, based on the Hopper architecture, is a data center GPU critical for large-scale AI training. Both have been subject to US export restrictions targeting Chinaās access to advanced AI hardware.
Tags: #AI hardware, #NVIDIA, #export controls, #e-commerce, #China