Monthly Archives: August 2025

AI and ML, Potential Risk of CVE

CVE-2025-23305 and CVE-2025-23306: About NVIDIA Megatron-LM (18-08-2025)

Leave a comment

Official Updated 08/11/2025 06:16 AM

Preface: GPT-4 offers several key benefits, including improved accuracy, longer context handling, and the ability to process both text and image inputs. It also exhibits stronger guardrails, leading to more reliable and ethical outputs. Additionally, GPT-4 excels in various tasks like professional and academic benchmarks, creative writing, and adapting to user needs.

Background: The Megatron-LM codebase is a framework for training large, powerful transformer language models at scale, developed by NVIDIA. It focuses on efficient, model-parallel (tensor and pipeline) and multi-node pre-training of transformer-based models like GPT, BERT, and T5 using mixed precision

Megatron-LM codebase efficiently trains models from 2B to 462B parameters across thousands of GPUs, achieving up to 47% Model FLOP Utilization (MFU) on H100 clusters.

GPT-4, the latest iteration in OpenAI’s Generative Pre-trained Transformer series, significantly scales up the parameter count compared to its predecessors. While GPT-2 had 1.5 billion parameters and GPT-3 boasted 175 billion, GPT-4 is estimated to have a staggering 1.76 trillion parameters.

The Megatron-LM codebase has successfully benchmarked the training of a 462B parameter model using 6144 H100 GPUs, achieving up to 47% Model FLOP Utilization (MFU).

While this demonstrates the capability of the Megatron-LM framework to train very large models on H100 clusters, the exact number of H100 GPUs used to train GPT-4 is not publicly disclosed. GPT-4 was developed by OpenAI, and they have not released the specific hardware configurations used for its training.

Vulnerability details:

CVE-2025-23305       NVIDIA Megatron-LM for all platforms contains a vulnerability in the tools component, where an attacker may exploit a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.

CVE-2025-23306       NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/

arguments.py component where an attacker could cause a code injection issue by providing a malicious input. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.

Official announcement: For more information, please refer to the link

https://nvidia.custhelp.com/app/answers/detail/a_id/5685

AI and ML, Potential Risk of CVE

CVE-2025-23298: About NVIDIA Merlin Transformers4Rec (15th Aug 2025)

Leave a comment

Official Updated 08/11/2025 06:15 AM

Preface: While the Bible doesn’t specifically mention artificial intelligence, it reminds us that human knowledge and capabilities will increase dramatically in the last days (Daniel 12:4). Building and training neural networks is a cornerstone of modern artificial intelligence, enabling breakthroughs in fields such as computer vision, natural language processing, and robotics.

Background: NVIDIA Merlin Transformers4Rec is a Python library designed for building sequential and session-based recommender systems, leveraging the power of Transformer architectures, particularly for use with PyTorch. It is part of the broader NVIDIA Merlin ecosystem, which provides end-to-end GPU-accelerated solutions for recommender systems.

Transformers4Rec is pre-installed in the merlin-pytorch container that is available from the NVIDIA GPU Cloud (NGC) catalog.

NVIDIA Merlin PyTorch container, available on NVIDIA NGC (NVIDIA GPU Cloud), includes the necessary components for GPU acceleration, including the CUDA Toolkit.

The Merlin PyTorch container allows users to do preprocessing and feature engineering with NVTabular, and then train a deep-learning based recommender system model with PyTorch, and serve the trained model on Triton Inference Server.

Ref: NVTabular and RAPIDS (cuDF/cuML) for preprocessing and feature engineering.

Vulnerability details: NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Official announcement: Please see the link for details

https://nvidia.custhelp.com/app/answers/detail/a_id/5683

AI and ML, Potential Risk of CVE

CVE-2025-23294: NVIDIA WebDataset for all platforms contains a vulnerability 14-08-2025

Leave a comment

Official Updated 08/11/2025 06:15 AM

Preface: WebDataset is a PyTorch IterableDataset implementation designed for efficient access to large datasets stored in POSIX tar archives. It focuses on sequential/streaming data access, which offers substantial performance advantages in environments where local storage is limited or I/O bottlenecks are a concern. WebDataset is particularly well-suited for very large-scale training, as it minimizes the need for local storage and allows for efficient data loading from various sources, including cloud storage.

Background: NVIDIA WebDataset refers to the integration of WebDataset with NVIDIA technologies like DALI or NeMo, rather than a separate NVIDIA-specific installation. Installing WebDataset itself is straightforward, as it is a Python library.

  • DALI is a portable, open-source software library for decoding and augmenting images, videos, and speech to accelerate deep learning applications.

DALI itself doesn’t extract .tar files directly — instead, it processes data streamed from tarballs via WebDataset or other loaders.

  • NVIDIA NeMo is a framework for building and deploying generative AI models, particularly those used in conversational AI like speech recognition and natural language processing.

It may extract or stream data depending on the configuration, but tarball handling is abstracted behind the data pipeline.

Vulnerability details: CVE-2025-23294 – NVIDIA WebDataset for all platforms contains a vulnerability where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service.

Official announcement: Please see the link for details

https://nvidia.custhelp.com/app/answers/detail/a_id/5658

AI and ML, Potential Risk of CVE

A safe mode bypass vulnerability in Keras versions 3.0.0 through 3.10.0 (13th Aug 2025)

Leave a comment

Preface: Deep learning in AI generally learns much faster than humans in specific, narrow tasks, especially those involving large datasets and complex computations. However, humans still excel at general intelligence, creative problem-solving, and learning with limited data.

Perhaps, AI does not have this advantage yet!

Background: Keras 3.0 is a major rewrite of the Keras deep learning API, designed to provide a unified and flexible platform for building and deploying deep learning models. Its most significant feature is its multi-backend architecture, allowing users to run Keras workflows on top of various popular deep learning frameworks.

TensorFlow is a comprehensive, low-level machine learning framework capable of building and training models directly. However, Keras plays a crucial role as its official high-level API, providing several benefits that make deep learning development significantly easier and more efficient within the TensorFlow ecosystem.

Keras 3.0 does it work in lambda layer? Yes, the Lambda layer continues to be available and functional in Keras 3.0. In machine learning, specifically within the context of deep learning frameworks like Keras or TensorFlow, a Lambda layer is a type of layer that allows you to wrap arbitrary expressions or functions as a layer in your neural network model.

Vulnerability details: A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive.

Official announcement: Please see the link for details

https://www.tenable.com/cve/CVE-2025-8747

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-6573: About Imagination’s PowerVR DDK (12th AUG 2025)

Leave a comment

Preface: PowerVR is a brand of graphics processing unit (GPU) IP ( intellectual property) developed by Imagination Technologies. In the context of Android, PowerVR GPUs are integrated into mobile System-on-Chips (SoCs) by various manufacturers, providing the graphics processing capabilities for Android devices. It’s a key competitor to Adreno (Qualcomm) and Mali (Arm) GPUs in the Android market.

Background: The Android SDK and Imagination’s PowerVR DDK are both software development kits, but they serve different purposes. The Android SDK is a comprehensive set of tools for developing Android applications, while the PowerVR DDK is a specialized kit for optimizing and integrating graphics rendering with Imagination Technologies’ PowerVR GPUs.

A DDK is a set of tools and libraries provided by an operating system vendor to facilitate the development of device drivers and kernel modules. Kernel modules are pieces of code that can be loaded into the operating system kernel at runtime, extending its functionality without requiring a full system reboot. This is common in Linux and Android kernel development.

The PowerVR DDK (Driver Development Kit) Native Lib C Framework refers to the foundational libraries and tools provided by Imagination Technologies to facilitate the development of graphics applications and drivers for systems utilizing PowerVR GPUs.

Vulnerability details: Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE).

  • The scratch buffer (pui8FWScratchBuf) is used by the GPU firmware for temporary data.
  • If this buffer is mapped or accessible from REE, malicious or compromised kernel software could read or overwrite data that should be protected within the TEE.

Official announcement: Please refer to the link for details

https://nvd.nist.gov/vuln/detail/CVE-2025-6573

Potential Risk of CVE

AMD responds to ETH Zurich researchers’ technical findings (11th Aug 2025)

Leave a comment

Preface: AMD K10 architecture, first launched in 2007, is not considered valid for modern computing needs. While it was a significant step in AMD’s processor development, it has been superseded by newer architectures like Zen, which offer significant performance and efficiency improvements.

Background: The “AMD Zen stack engine” generally refers to the AMD Zen microarchitecture and its various generations used in AMD processors. Zen utilizes a modular structure, with the basic building block being the CPU Complex (CCX). Each CCX contains multiple cores (e.g., four cores in early Zen generations) that share a large L3 cache.

Technical details: The stack engine is a feature that has a speculative stack address delta register in the front-end that is updated directly with push/pop instructions, and that delta is dispatched with the stack memory uop to be added to the original stack address register when doing address generation in the load/store units.

The stack engine is not predictive in nature and as such does not open up new transient execution windows. However, it might still leak information under speculation. The following two main scenarios were analyzed:

First, Researchers from ETH Zurich checked whether the stack engine offset is reset when the CPU corrects a branch misprediction. We find that the offset is reset to zero on Zen 3-4 while Zen 5 appears to retain an offset. We were not able to conclusively determine the effect on the other architectures due to excessive noise introduced by the misspeculation.

Second, Reseachers from ETH Zurich aimed to detect stack engine sync operations that occur only on the speculative path that are latersquashed. Using performance monitor counters (PMCs), we confirm that sync operations are indeed also observable under transient execution on Zen 3-5. An attacker might theoretically combine this behavior with a classical indirect branch target injection to build a call-depth disclosure gadget in a cross-thread attack. However, we note that such an attack would only slightly expand the capabilities of a cross-thread attacker.

Workaround: AMD continues to recommend software developers employ existing best practices including constant time algorithm and avoid secret-dependent data access or control flows to help mitigate the potential vulnerability.

Official announcement: Please refer to the link for detailshttps://www.amd.com/en/resources/product-security/bulletin/amd-sb-7045.html

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-0932: Arm fixes userspace vulnerability in Mali GPU driver (8th Aug 2025)

Leave a comment

Preface: The Valhall family of Mali GPUs uses the same top-level architecture as the previous generation Bifrost GPUs. The Valhall family uses a unified shader core architecture.

The Arm 5th generation GPU architecture, including the Immortalis and Mali GPUs, represents a modern design for mobile and other client devices.

Background: ioctl (Input/Output Control) is the primary syscall used by userspace GPU drivers to communicate with the kernel-space driver. It allows sending custom commands and structured data to the driver.

Typical ioctl operations in Mali drivers include:

  • MALI_IOCTL_ALLOC_MEM: Allocate GPU-accessible memory
  • MALI_IOCTL_FREE_MEM: Free previously allocated memory
  • MALI_IOCTL_SUBMIT_JOB: Submit a GPU job (e.g., shader execution)
  • MALI_IOCTL_WAIT_JOB: Wait for job completion
  • MALI_IOCTL_MAP_MEM: Map memory to userspace

The path bifrost-drivers/driver/product/kernel/drivers/gpu/arm indicates that the code within this directory is part of the kernel-space drivers for Arm Mali Bifrost GPUs.

Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privileged user process to perform valid GPU processing operations, including via WebGL or WebGPU, to gain access to already freed memory.

Scope of impact: This issue affects Bifrost GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r51p0; Valhall GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0.

Official announcement: Please see the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-0932

https://developer.arm.com/documentation/110626/latest

Ref: Typo, attached code is free after use, is part of the remedy. The use after free not shown.

Potential Risk of CVE

AMD response to EDK2 SMM MCE Enablement Issue (7th Aug 2025)

Leave a comment

Preface: While it’s technically possible to update UEFI firmware from within a Linux user space environment, it’s not a common or recommended practice. Most UEFI updates are designed to be installed through specific utilities provided by the motherboard manufacturer, often requiring a bootable medium or a dedicated Windows application.

Background: EDK II, also known as EDK2, is an open-source firmware development environment for the Unified Extensible Firmware Interface (UEFI) and Platform Initialization (PI) specifications. It’s a modern, feature-rich, and cross-platform environment developed by the Tianocore project. Think of it as the official development environment for UEFI applications and a core component of many platforms’ firmware

TianoCore is an open-source community focused on developing and promoting the Unified Extensible Firmware Interface (UEFI). It provides a firmware development environment, primarily known as EDK II, which is used for building UEFI firmware, drivers, and applications. TianoCore is a reference implementation of UEFI and is widely adopted by the industry.

Technical details: A researcher reported a bug in the open source EDK2 system management interrupt (SMI) entry code when an MCE occurs near the start of the SMI handler.  An attacker who can inject a machine check exception (MCE) could cause execution to jump to an attacker-controlled interrupt handler, leading to arbitration code execution.

Ref: On AMD EPYC processors, the System Management Mode (SMM) functionality is indeed implemented within the System Management Unit (SMU), which is a distinct block of logic on the processor die.

The System Management Unit (SMU) contains a mailbox function to facilitate communication between the SMU and other system components, including the CPU and operating system. This mailbox acts as a communication channel for sending commands and data, and receiving responses, enabling the SMU to perform its tasks related to system management, power management, and hardware control.

Official announcement: Please refer to the following link for detailshttps://www.amd.com/en/resources/product-security/bulletin/amd-sb-7043.html

AI and ML, Potential Risk of CVE

2025-23318 and CVE-2025-23319: About NVIDIA Triton Inference Server (6th Aug 2025)

Leave a comment

Preface: Nvidia’s security advisories released on August 4, 2025 (e.g., CVE-2025-23318, CVE-2025-23319) are specifically related to the Python backend. The Triton backend for Python. The goal of Python backend is to let you serve models written in Python by Triton Inference Server without having to write any C++ code.

Background: NVIDIA Triton Inference Server is an open-source inference serving software that streamlines the deployment and execution of AI models from various deep learning and machine learning frameworks. It achieves this flexibility through a modular system of backends. 

Each backend within Triton is responsible for executing models from a specific framework. When an inference request arrives for a particular model, Triton automatically routes the request to the necessary backend for execution. 

Key backend frameworks supported by Triton include:

  • TensorRT: NVIDIA’s high-performance deep learning inference optimizer and runtime.
  • TensorFlow: A popular open-source machine learning framework.
  • PyTorch: Another widely used open-source machine learning library.
  • ONNX: An open standard for representing machine learning models.
  • OpenVINO: Intel’s toolkit for optimizing and deploying AI inference.
  • Python: A versatile backend that can execute models written directly in Python and also serves as a dependency for other backends.
  • RAPIDS FIL (Forest Inference Library): For efficient inference of tree models (e.g., XGBoost, LightGBM, Scikit-Learn).

This modular backend architecture allows Triton to provide a unified serving solution for a wide range of AI models, regardless of the framework they were trained in.

Vulnerability details:

CVE-2025-23318: NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds write. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure.

CVE-2025-23319: NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by sending a request. A successful exploit of this vulnerability might lead to remote code execution, denial of service, data tampering, or information disclosure.

Official announcement: Please see the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5687

AI and ML, Potential Risk of CVE

CVE-2025-23310: The NVIDIA Triton Inference Server for Windows and Linux suffers from a stack buffer overflow due to specially crafted input. (5th Aug 2025)

Leave a comment

Preface: The NVIDIA Triton Inference Server API supports both HTTP/REST and GRPC protocols. These protocols allow clients to communicate with the Triton server for various tasks such as model inferencing, checking server and model health, and managing model metadata and statistics.

Background: NVIDIA Triton™ Inference Server, part of the NVIDIA AI platform and available with NVIDIA AI Enterprise, is open-source software that standardizes AI model deployment and execution across every workload.

The Asynchronous Server Gateway Interface (ASGI) is a calling convention for web servers to forward requests to asynchronous-capable Python frameworks, and applications. It is built as a successor to the Web Server Gateway Interface (WSGI).

NVIDIA Triton Inference Server integrates a built-in web server to expose its functionality and allow clients to interact with it. This web server is fundamental to how Triton operates and provides access to its inference capabilities on both Windows and Linux environments.

Vulnerability details: CVE-2025-23310 – NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause stack buffer overflow by specially crafted inputs. A successful exploit of this vulnerability might lead to remote code execution, denial of service, information disclosure, and data tampering.

Official announcement: Please refer to the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5687