IoT, Potential Risk of CVE

CVE-2025-47393: In Qualcomm-specified products, memory corruption occurs when the core driver accesses resources. 13th Jan-2026

Leave a comment

Qualcomm – Official announcement: 1st Jan 2026

Preface: The Qualcomm Snapdragon Ride platform is used to develop advanced driver assistance systems (ADAS) and autonomous driving (AD) for vehicles. It combines powerful hardware (SoCs containing AI, GPUs, and vision engines) and software (SDKs, cloud tools) to support a wide range of functions from basic safety features to advanced autonomous driving. It allows for the integration of digital cockpit, ADAS, and AD functions on the same hardware and supports over-the-air (OTA) updates for continuous improvement.

Qualcomm SA9000P is a high-performance automotive-grade System-on-Chip (SoC) from Qualcomm’s Snapdragon Ride platform, part of a 5nm compute platform for advanced driver-assistance systems (ADAS) and autonomous driving, designed to compete with NVIDIA and Intel Mobileye, often paired with the SA8540P, enabling powerful in-car computing for future connected and self-driving vehicles.

Background: In the context of Qualcomm’s software ecosystem and the Linux kernel, _count_phandle_with_args() is typically a low-level helper or a variant of the standard DeviceTree (DT) API used to determine the number of phandle entries in a specific property.

While the internal underscore-prefixed version (_count_phandle_with_args) is often used within kernel core code (like drivers/of/base.c), it is most commonly accessed by Qualcomm drivers via the public wrapper: of_count_phandle_with_args()

Therefore, developers are advised to use `of_count_phandle_with_args()` to verify array indices.

Usage in Qualcomm Drivers: Qualcomm’s MSM (Mobile Station Modem) kernel and downstream drivers use this to dynamically determine how many resources (like regulator handles or clock inputs) are defined for a hardware block before allocating memory for them.

Vulnerability details:

CVE ID – CVE-2025-47393

Title – Improper Validation of Array Index in Automotive Linux OS

Description – Memory corruption when accessing resources in kernel driver.

Technology Area – Automotive Linux OS

Vulnerability Type – CWE-129 Improper Validation of Array Index

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/securitybulletin/january-2026-bulletin.html

Potential Risk of CVE

CVE-2025-47345: About Qualcomm – Reusing a Nonce, Key Pair in Encryption in Automotive Platform (12th Jan 2026)

Leave a comment

Official published: 5th JAN 2026

Preface: When used in an automotive context, the Snapdragon 8 Gen 3 Mobile Platform—and its dedicated automotive counterparts—utilize a High-Level Operating System (HLOS).

While the “Mobile Platform” is a consumer-grade chip typically found in smartphones, some automakers have integrated it directly into vehicles. For purpose-built automotive solutions, Qualcomm offers the Snapdragon Cockpit Elite and Snapdragon Ride Elite, which share the same underlying architecture (Oryon CPU cores) as the mobile 8-series.

Background: The Snapdragon 8 Gen 3 Mobile Platform redefines mobile connectivity with advancements in speed, reliability, and future-proofing. At its core is the Snapdragon X75 5G Modem-RF System, which delivers high performance, including up to 10Gbps downlink and 3.5Gbps uplink speeds.

While the High-Level Operating System (HLOS) allocates a non-secure buffer to communicate with the Trusted Execution Environment (TEE), this buffer is only used for passing encrypted payloads, commands, or non-sensitive handshake parameters.

The Automotive smart cockpit is an advanced integrated digital environment that uses artificial intelligence, sensors and connectivity to unify the driver interface, infotainment and vehicle controls, transforming the cabin into a personalized interactive space for driving, entertainment and productivity.

HDCP is used in smart cockpits to protect high-resolution digital video and audio content transmitted across internal digital interfaces like HDMI, DisplayPort, and automotive-specific links such as APIX (Automotive Pixel Link ) or GMSL (Gigabit Multimedia Serial Link).

HDCP in Automotive Platforms (HDCP) is a link protection protocol, and its security depends on proper key management and session handling inside the TEE.

  • The session keys are stored securely in TEE and referenced by session ID.
  • There’s no indication that the same nonce or key pair is reused across sessions or encryption operations.
  • The non-secure buffer is freed after the session ends, which is good practice.

Vulnerability details: Cryptographic issue may occur while encrypting license data. The potential vulnerability (CVE-2025-47345) in Qualcomm Snapdragon platforms arises from reusing a nonce or key pair during encryption, violating cryptographic best practices (CWE-323). This issue is not an application-level flaw but a platform design decision.

As a matter of fact, modern threat models consider:

•         TEE compromise or privilege escalation as realistic attack vectors.

•         Static cryptographic material as a critical weakness, enabling replay attacks, impersonation, or content decryption.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-47345

Science

Maven orbiter, where are you? (10th Jan, 2026)

Leave a comment

Preface: As of January 10, 2026, NASA has lost contact with the MAVEN spacecraft, and recovery efforts are currently paused due to an astronomical phenomenon known as solar conjunction.

Background: NASA’s MAVEN orbiter uses an Electra UHF transceiver to act as a crucial “bent pipe” communication relay, receiving data from rovers and landers on Mars (like Perseverance and Curiosity) and forwarding it to Earth, significantly boosting data return rates through its specialized radio system. This UHF (Ultra-High Frequency) link is ideal for short-range rover-to-orbiter communication, overcoming limitations of direct surface-to-Earth links by using MAVEN’s higher orbit and adaptive data rates.

NASA’s MAVEN spacecraft uses shielding, particularly Multi-Layer Insulation (MLI), to protect its sensitive instruments and electronics from the harsh space environment, including energetic particles from solar events like Coronal Mass Ejections (CMEs) and solar wind.

Recent Hubble Space Telescope images of comet 3I/ATLAS in late 2025 revealed an “intriguing configuration” featuring a prominent sunward anti-tail and two additional, smaller jets, creating a structure of three evolving jets or anti-tails. Do these tail-like structures generate radio frequency (RF) frequencies?

Yes, the MeerKAT radio telescope successfully detected hydroxyl (OH) absorption lines at 1665 MHz and 1667 MHz from the interstellar object 3I/ATLAS in late 2025. These lines are characteristic of hydroxyl radicals (OH molecules), which are fragments of water molecules broken apart by solar radiation. This detection confirms the presence of these natural molecules in the comet’s atmosphere/tail.

In astrophysics, these specific frequencies are well known as the characteristic spectral lines (emissions) of the hydroxyl (OH) radical molecule. Astronomers observe these natural radio emissions from comets, nebulae, and other interstellar sources to study cosmic chemistry and dynamics. In this natural phenomenon, the emissions themselves act as the “signal” scientists detect, rather than a man-made carrier wave.

When solar wind coronal mass ejections mix with hydroxyl (OH) absorption lines, will any special effects occur?

When a coronal mass ejection (CME) or intense solar wind mixes with hydroxyl (OH) in an environment with little to no atmosphere (like the Moon or asteroids), it can lead to the formation of actual Hydroxyl groups (and potentially water) within the surface material. This process creates or enhances specific light absorption bands near 3 micrometers (µm) in the object’s reflectance spectrum, which can be observed remotely.

If the above details do not affect orbital flight operations, can we say that the Maven probe will appear soon?

NASA announcement: Please refer to the link for details – https://science.nasa.gov/blogs/maven/2025/12/23/nasa-works-maven-spacecraft-issue-ahead-of-solar-conjunction/

Additional: http://www.antihackingonline.com/science/upcoming-mars-solar-conjunction-around-late-december-2025-early-january-2026-will-further-delay-recovery-of-maven-efforts-26-12-2025/

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-47339 – Memory corruption while deinitializing a HDCP session -Use After Free in HLOS (9th Jan 2026)

Leave a comment

Official Published: 01/05/2026

Preface: In Qualcomm devices, the Host Operating System (HLOS), often Android/Linux, manages HDCP (High-bandwidth Digital Content Protection) sessions by interacting with dedicated hardware/firmware (DCP/ MediaLink/TrustZone) for key exchange and encryption, ensuring protected content (DRM) is output securely over HDMI/DisplayPort, with the HLOS kernel handling driver calls and security enforcement to prevent playback of protected media on non-compliant displays.

Background: For the HLOS (Normal World) to communicate with the Secure World, a small “shared memory” buffer must be initialized:

• Communication Buffers: The HLOS allocates non-secure memory to pass non-sensitive commands and status updates (e.g., “start session,” “query status”) to the TEE.

• Buffer Alignment: Systems often require specific alignment (typically 4KB page alignment) for these shared buffers to ensure they can be mapped into the TEE’s address space for processing.

When the app calls mediaDrm.closeSession(sessionId) – refer tp attached diagram, the Widevine DRM stack signals the TEE (TrustZone) to terminate the secure session.

The non-secure buffer allocated by HLOS for communication with the TEE is freed once the session ends.  Alignment requirements (e.g., 4KB) are relevant only during active mapping; after deinitialization, the memory is returned to the normal pool.

Related details:

  • The HDCP link is not persistent beyond the DRM session. Once the session is closed, the secure channel is dismantled.
  • If another app or playback starts later, the entire handshake process (including HDCP negotiation) will run again.

Vulnerability details: CVE-2025-47339 – Memory corruption while deinitializing a HDCP session – Use After Free in HLOS.

One of the possibilities – When the HLOS frees the non-secure buffer after session closure, any lingering references (e.g., in the TEE driver or asynchronous callbacks) can still access that memory. If the cleanup sequence doesn’t enforce strict ordering—such as ensuring all secure-world operations have completed before freeing the buffer—the freed memory could be reused by another process, leading to corruption.

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/securitybulletin/january-2026-bulletin.html

Potential Risk of CVE

CVE-2026-21675 Linux systems using the IccProfLib library are also affected by this vulnerability! (8 Jan 2026)

Leave a comment

Published: 2026-01-05

Preface: Website hosting itself does not “provide” ICC profiles; instead, it stores the image files you upload, which may contain embedded ICC profiles. However, the key is how web browsers interpret them. Most standard browsers default to or prioritize the sRGB color space for displaying web page content, so explicit ICC profiles are usually unnecessary and can sometimes even negatively impact file size/performance. Therefore, ideally, you should set it to “RGB” format.

However, ICC profiles are crucial for accurate color reproduction in facial recognition systems, especially for ensuring consistency between capture (camera/scanner) and analysis (software/display), because they provide the necessary color translation for accurate skin tone mapping, feature differentiation (like subtle shadows and highlights), and reliable matching, preventing errors caused by device-specific color variations that could affect algorithm performance.

Background: IccProfLib is an open-source, cross-platform C++ library from the SampleICC project that allows developers to read, write, manipulate, and apply ICC (International Color Consortium) profiles, which define device-specific color characteristics for consistent color management in graphics. The ICC profile must always be saved with your photos for the same reason. Without it, the device reproducing your photos (printer, computer screen, phone screen, etc) doesn’t have the exact instructions for how the colours should look.

In 2026, ICC (International Color Consortium) profiles are essential for maintaining color accuracy across devices on Windows. The IccProfLib C++ library is designed for cross-platform compatibility, so it can be used on Linux.

A Hint Manager, often part of a Color Management System (CMS), uses these profiles to adjust color data, interpreting the profile’s instructions to render colors accurately.

Remark: ICC profiles can be for greyscale, extended gamut 7 colour colours and other colour combinations, well as the more common RGB and CMYK profiles.

Vulnerability details: iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.

Official announcement: Please refer to the link for details

https://www.tenable.com/cve/CVE-2026-21675

AI and ML, Potential Risk of CVE

CVE-2026-21452: About MessagePack for Java (7th Jan 2026)

Leave a comment

Preface: Aerospike is a specific, high-performance NoSQL database, and benchmarks generally show it to be significantly faster than many other clustered NoSQL solutions like Cassandra and MongoDB.

The term “NoSQL” refers to a broad category of databases with varying performance characteristics, so a direct comparison is more nuanced than a simple yes/no answer.

Aerospike uses MessagePack as its default, internal serialization format for Lists and Maps (Collection Data Types or CDTs); it is not an optional configuration you need to enable in the core database itself.

Background: MessagePack is a compact binary serialization format designed to be more memory-efficient than text-based formats like JSON. For the Java implementation, its memory requirements depend on whether you are using the standard heap-based process or advanced off-heap optimizations.

The MessagePack serialization process primarily utilizes JVM Virtual Memory, which encompasses several different pools:

JVM Heap Memory, Off-Heap / Native Memory and OS Page Cache.

About EXT32?

•         In binary serialization formats (like Mashpack), EXT32 is a type identifier (byte 0xDD) indicating a subsequent 32-bit binary block or extension.

•         It’s used for efficiency, compacting data better than text formats (JSON, XML) by representing data directly as bytes.

Serialized EXT32 objects can require more memory in the JVM heap, primarily due to how standard Java MessagePack libraries manage large payloads during deserialization. While the MessagePack format itself is compact, the serialization and deserialization process in Java introduces specific memory overheads for the EXT32 type:

Large Payload Buffering (Heap Exhaustion) EXT32 is designed for large extension data, supporting payloads up to 4 GiB in size.

Vulnerability details: A known issue in msgpack-java (prior to v0.9.11) was that the library would trust the declared length in the EXT32 header and immediately attempt to allocate a matching byte array on the JVM heap.

Impact: If an EXT32 object declares a massive size, it can trigger rapid heap exhaustion or an OutOfMemoryError before the data is even fully read.

Official announcement: Please refer to the link for details.

https://www.tenable.com/cve/CVE-2026-21452

Potential Risk of CVE

CVE-2026-21440: Regarding the AdonisJS vulnerability, companies are advised to be vigilant! (January 6, 2026)

Leave a comment

Preface: Multiple fashion brands experienced significant cyber attacks and data breaches in 2025, with many incidents linked to third-party vendor vulnerabilities and attributed to hacking groups.

Louis Vuitton (LVMH Group): Confirmed a global cyber attack in July 2025 that compromised customer data in the UK, South Korea, Turkey, Italy, and Sweden. The data exposed included names, contact information, and purchase history, but no payment details.

Dior (LVMH Group): Disclosed a data breach in May 2025, which actually occurred in January, primarily affecting customers in Asia (South Korea and China). Compromised information included names, contact details, and shopping preferences.

Background: AdonisJS is a TypeScript-first web framework for building web apps and API servers. It comes with support for testing, modern tooling, an ecosystem of official packages, and a comprehensive documentation site. You can find the source code, guides, and community resources on the official AdonisJS website.

Node.js developers have varied opinions on AdonisJS, but many who prefer a structured, “batteries-included” framework are very fond of it. The framework provides a cohesive, full-stack development experience, which is a significant draw for certain types of developers.

AdonisJS provides a full suite of integrated features right out of the box, including an ORM (Lucid), authentication, validation, routing, and a CLI tool called “Ace”. This eliminates the “decision fatigue” of choosing and integrating numerous third-party packages.

Vulnerability details: AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-21440

IoT, Potential Risk of CVE, Public safety

CVE-2025-68620: Signal K Server, no authentication is required, and authentication can be completely bypassed. (5th Jan 2026)

Leave a comment

NVD Published Date: 01/01/2026

Preface: Signal K’s popularity in the IoT space, especially in marine tech, is growing due to its open-source nature, enabling advanced, connected, and personalized vessel data systems, integrating with trends like AI, edge computing (via Meshtastic), and edge devices for remote monitoring and control, mirroring the broader IoT boom expected to hit 70+ billion devices by 2025.

GPS tells a ship where it is using satellites (passive location), while AIS (Automatic Identification System) is a communication system that broadcasts and receives data like who it is, where it’s going, and its position to other vessels using VHF radio (active sharing), often using GPS data as its source for location.

Background: When a client connects to a server’s event stream endpoint using a WebSocket or an HTTP request with a specific query parameter (e.g., serverevents=all), the server is designed to send all cached server events, including ACCESS_REQUEST events. 

This mechanism typically operates as follows:

Connection and Parameter Usage 

  • WebSocket: A client establishes a WebSocket connection using a URL that includes the desired query parameter, such as wss://server-address/stream?serverevents=all.
  • HTTP (Server-Sent Events): The client makes a long-lived HTTP GET request (using the EventSource API in a browser) to a similar URL, like https://server-address/stream?serverevents=all.
  • Server Logic: The server’s event handling function iterates over its internal cache of past events and writes each one to the newly connected client as part of the initial data synchronization. 

Ref: The original NMEA 2000 and automotive CAN bus protocols do not have built-in authentication or encryption requirements. The design of these standards focused on reliable data exchange and real-time performance, not cybersecurity.

Vulnerability details: When a client connects to a server event stream endpoint using a WebSocket or an HTTP request was approved .In essence, if anonymous send HTTP request with a specific query parameter (e.g., serverevents=all), the signalK-server will send all cached server events, including ACCESS_REQUEST events.

If anonymous receive the events, try and error polls those IDs. Under this try action. They have change to steals the JWT tokens (administrators approved).

Ref: Cached ACCESS_REQUEST Events – Among these cached events are ACCESS_REQUEST objects. These contain sensitive details about pending security access requests, including:

  • Request IDs
  • Client identifiers and descriptions
  • Requested permission levels (e.g., admin, read-only)
  • Client IP addresses

Remedy: SignalK-server Version 2.19.0 fixes the underlying issues

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-68620

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

The Linux kernel CVE-2023-54324 was released on December 30, 2025. Do you think that is valuable to know? (2nd Jan 2026)

Leave a comment

Preface: Essentially, when security experts read vulnerability lists, the priority is time-dependent. For example, if you read a CVE reference document on January 2, 2025, but the document’s starting date is 2023, there’s a 99% chance you’ll ignore it. This makes sense, after all, it’s two years ago. According to vendor practice, when patches are released, they prioritize notifying customers. The timing of public releases depends on the vendor’s policy. But what made me interested in this CVE and want to delve deeper? In fact, when you investigate further, you discover more information than expected.

You’re welcome to continue exploring.

Background: Instead of the md driver’s classic RAID, Android utilizes the Device Mapper (DM) framework—specifically the same dm-ioctl.c interface you noted earlier—to implement modern, mobile-specific storage features.

The Device Mapper framework operates within standard kernel memory space and uses the general-purpose Linux memory allocators (kmalloc, the buddy allocator, or potentially the Contiguous Memory Allocator (CMA) for large buffers).

However, seems the major remedy  is implement a tool ( rw_semaphore devices_lock). When the Device Mapper drivers (dm-ioctl.c, dm-core.h, and dm-table.c) are used on an Android smartphone with a Qualcomm processor. The memory used by the storage drivers (drivers/md/) and the memory managed by the graphics drivers (Qualcomm’s KGSL) are distinct and reserved for different purposes:

Storage (Device Mapper) Memory

The Device Mapper framework operates within standard kernel memory space and uses the general-purpose Linux memory allocators (kmalloc, the buddy allocator, or potentially the Contiguous Memory Allocator (CMA) for large buffers).

  • When the storage drivers perform tasks like encryption (dm-crypt) or integrity checks (dm-verity), they are processing data from the main system RAM or directly from the physical storage chip using Direct Memory Access (DMA).
  • The system uses memory pools like ION or ashmem to manage shared buffers between the kernel and user-space applications for storage tasks. These are separate from GPU pools. 

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved.

dm: fix a race condition in retrieve_deps There’s a race condition in the multipath target when retrieve_deps races with multipath_message calling dm_get_device and dm_put_device. retrieve_deps walks the list of open devices without holding any lock but multipath may add or remove devices to the list while it is running. The end result may be memory corruption or use-after-free memory access.

See this description of a UAF with multipath_message(): https://listman.redhat.com/archives/dm-devel/2022-October/052373.html Fix this bug by introducing a new rw semaphore “devices_lock”. We grab devices_lock for read in retrieve_deps and we grab it for write in dm_get_device and dm_put_device.

Official announcement: Please refer to the link for details. https://www.tenable.com/cve/CVE-2023-54324

Science

Extraterrestrial life comes from an unknown universe. Interstellar objects also originate from the unknown universe. From a scientific perspective, there is some kind of connection between them. (31st Dec 2025)

Leave a comment

Preface: On December 31, 2025, interstellar comet 3I/ATLAS is well past its closest approach to Earth (December 19, 2025) and is already heading back out of the solar system on a hyperbolic trajectory, still visible with telescopes in the Northern Hemisphere as it moves through the constellation Leo, offering a unique opportunity for astronomers to study this visitor from another star system before it disappears forever!

Background: An interstellar object discovered in July that is travelling at high speed and unlike anything seen before, touches on a fascinating area of modern astronomy, particularly the relatively new field of identifying celestial visitors from beyond our solar system. 3I/ATLAS carrying chemical clues that suggest its parent system was rich in carbon dioxide and possibly very old, originating from the Milky Way’s thick disk. While some of its anomalies sparked speculative discussions, the scientific consensus firmly identifies it as a fascinating, albeit unusual, natural comet. Its study is a goldmine for understanding the vast diversity of planetary formation processes across the galaxy. Harvard astrophysicist Avi Loeb has kept the interstellar object 3I/ATLAS at a Rank 4 on his Classification Scale (0-10, 10 being alien tech) because, despite numerous anomalies like an unusual anti-tail and unexplained mass loss, the data isn’t conclusive enough for a higher rating, though he believes its features suggest potential technological origin, keeping it significantly above natural comets like ‘Oumuamua, while awaiting more data from upcoming observations.

Mainstream perspective: The scientific definition based on causality is the cornerstone of scientific inquiry and the foundation of human understanding of the world. However, causality in science is not a simple definition. We may know that the 3I/ATLAS interstellar object does not have conclusive evidence that it is an extraterrestrial visitor. However, extraterrestrial life originates from an unknown universe. Interstellar objects also originate from this unknown universe. From a scientific perspective, there is some kind of connection between them.

Today is the last day of 2025. Perhaps it’s time to say goodbye to 2025.

Andrea Bocelli, Sarah Brightman – Time To Say Goodbye –

antihackingonline.com