Day 3: Resolving CI/CD Deployment Issues & Analysing logic of CVE-2026-34159 bug file

somethings new

Author HungNguyen

#Infrastructure: Fixing CI/CD Pipeline

To maintain transparency and provide a public proof of work for my daily progress, I have moved this blog repo to a public state However, this transition introduced several deployment bottlenecks, primarily regarding pnpm build script permission (ERR_PNPM_IGNORED_BUILDS) on GitHub Actions

I have successfully resolved these infrastructure issues by:

  1. Refining Dependency Policies: Whitelisting critical build dependencies (sharp, esbuild) in package.json
  2. Synchronizing Security Signatures: Updating the pnpm-lock.yaml with verified hashes to satisfy CI security requirements
  3. Streamlining Workflows: Decommissioning redundant deployment scripts to ensure a clean, “Green” build status on Vercel

#CVE-2026-34159

Building upon the root cause analysis from previous days, today’s research focused on understanding the vulnerability flow using Arbitrary Read/Write (ARW) primitives (Skill I learn today)

#Arbitrary Read/Write

I have successfully identified a mechanism to achieve ARW by crafting a malicious metadata packet. By supplying a carefully calculated address within the payload, I can force the server to manipulate specific memory regions or registers. In this lab, this skill is one of the gateway to full execution control

#Logic Flaw Identification

The underlying bug resides in the packet validation logic. While the system implements multiple sanity checks to verify the integrity of the metadata, it suffers from a critical missing size validation flaw

This oversight allows an unauthorized remote attacker to:

  1. Bypass established security boundaries
  2. Trigger an out-of-bounds condition
  3. Overwrite internal pointers to redirect control flow to an arbitrary register

I will push a detail blog about this CVE in the future