A 28-year-old vulnerability class — Smurf amplification — alive in an enterprise controller shipping in 2026. Two independent packet captures prove reflection. Bugcrowd called it expected behavior. No fix issued.

ArubaOS 8.13.2.0 exposes an unauthenticated XML parser on port 32000 that resolves external entities, enabling OOB SSRF and internal port scanning. Wire-level pcap + target sshd log confirm server-side execution. Bugcrowd closed it as theoretical. No fix issued.

TIME_WAIT and Sockstress don’t translate directly to UDP DNS, but DNS has its own state surface. Recursive-client tables, pending-query slots, TCP/853 (DoT) and TCP/443 (DoH) sockets, delegation chains, and DNSSEC validation state are all exhaustible. This post covers water torture, NXNS, TsuNAME, NRDelegation, and the operational defaults that make DNS a softer target than HTTP.

The ‘65536 port’ framing is wrong. TCP connection capacity is governed by 4-tuple uniqueness and kernel state tables, not port counts. This post breaks down TIME_WAIT exhaustion, Sockstress (window=0 + Persist Timer abuse), Slowloris-class L7 variants, and the conditions under which each is still effective today.

MAX_LFS_FILESIZE only gates the superblock. Once the FUSE connection is up, every FUSE_GETATTR reply can mutate i_size to 0xFFFFFFFFFFFFFFFF. The page cache’s (pos + count - 1) » PAGE_SHIFT arithmetic wraps unsigned, inverts loop invariants, and turns vma_merge() into an arbitrary OOB-write primitive on Maple Tree-backed kernels.

An unprivileged FUSE daemon controls the semantic authority of an entire filesystem. By lying about i_size in vfs_getattr replies, it desynchronizes kernel allocation from kernel ingestion — turning finit_module(2), the firmware loader, and kexec_file_load(2) into kmalloc-4k slab overflow primitives.