Monthly Archives: October 2025

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2025-27053: Incorrect Calculation of Buffer Size in HLOS (17th Oct 2025)

Leave a comment

Official Published: 10/06/2025

Preface: Microsoft partners with the Android ecosystem by enabling its PlayReady DRM technology for content protection on Android devices, both in apps and web browsers. This integration allows developers to protect premium content like live TV and video-on-demand (VOD) using Android’s Java DrmManagerClient API, while web browsers use the Encrypted Media Extensions (EME) standard to access PlayReady via a Content Decryption Module (CDM). Leading Android device manufacturers often embed a PlayReady client into their devices, and Microsoft provides a Porting Kit to help them do so.

Background: The core of the Android OS operating system is the Android Open Source Project (AOSP), which is free open source software (FOSS) licensed primarily under the Apache License. However, most devices run a proprietary version of Android developed by Google, which comes pre-installed with additional proprietary, closed-source software, most popular Google Mobile Services (GMS), which includes core applications such as Google Chrome, the digital distribution platform Google Play, and the related Google Play Services development platform.

Qualcomm Android source code is divided into development source code and proprietary source code. Proprietary source code is further divided into proprietary non-HLOS software and proprietary HLOS software. HLOS is the High-level Operating System, and non-HLOS software refers to software below the HLOS layer.

Vulnerability details: Memory corruption during PlayReady APP use case while processing TA commands.

CVE-2025-27053 : If the BUFFER_SIZE is incorrectly calculated (e.g., too small for the actual data exchanged), the TA might read or write beyond the allocated memory, leading to memory corruption. The vulnerability CVE-2025-27053 is a memory corruption issue caused by incorrect buffer size calculation in HLOS when processing TA commands in the PlayReady APP usecase. Here’s why it affects Qualcomm Snapdragon chips.

Official announcement: Please refer to the url for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2025-bulletin.html

AI and ML, Potential Risk of CVE

CVE-2025-23356: about Isaac Lab component of NVIDIA Isaac Sim (16-10-2025)

Leave a comment

Preface: The goal of generating synthetic data for robot models is to create a diverse and realistic dataset for training and validating AI systems in a cost-effective and scalable way, helping to overcome the limitations of real-world data collection. This includes creating data for training models, improving their performance, testing for edge cases, and refining them after initial training without needing extensive, time-consuming, or dangerous physical data collection.  

Background: Isaac Sim facilitates three essential workflows: generating synthetic data for training or post-training robot models used for perception, mobility, and manipulation. It also enables validating robot stacks through software and hardware-in-loop testing and enabling robot learning through Isaac™ Lab.

NVIDIA Isaac Lab is an open-source, unified framework for robot learning that helps developers train robot policies using high-fidelity simulation. Built on NVIDIA Isaac Sim and the Omniverse platform, it leverages the power of GPUs for parallel physics simulation and photorealistic rendering to bridge the gap between simulation and real-world training. The framework simplifies common workflows for robot learning, such as reinforcement learning and imitation learning, by providing modular design patterns and a unified set of tools.

Configuring Stable-Baselines3 (SB3) within Isaac Sim, particularly with Isaac Lab, involves setting up the training environment and specifying hyperparameters for your chosen reinforcement learning algorithm.

Vulnerability details: NVIDIA Isaac Lab contains a vulnerability in SB3 configuration parsing. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

Official announcement: Please see the link for details

https://nvidia.custhelp.com/app/answers/detail/a_id/5708

Potential Risk of CVE

About CVE-2025-0033 : AMD recommends updating to the SEV Firmware or Platform Initialization (PI) firmware (15-10-2025)

Leave a comment

Preface: Web hosting companies can use AMD EPYC 9004 Series processors for demanding and high-traffic websites, but they are more suitable for large-scale or specialized workloads due to their high cost and performance focus on areas like AI, HPC, and cloud-native computing.

Background: During Secure Nested Paging (SNP) initialization, the Reverse Map Table (RMP) is set up by software (firmware) to map system physical addresses to guest memory and enforce page ownership and write permissions. The RMP is a system-wide table, indexed by the System Physical Address (SPA), with each entry corresponding to a 4KB chunk of memory, indicating which owner has access to it and how it can be written to. This is crucial for preventing the hypervisor from maliciously accessing a guest’s private, encrypted memory.

Ref: For AMD SEV-SNP systems, the best hypervisor depends on your specific needs, but Proxmox is a strong contender for a feature-rich, open-source option, while VMware vSphere is an excellent choice for enterprise environments already invested in the VMware ecosystem. For users who prefer Linux, adding a confidential computing kernel to a distribution like Ubuntu enables robust SEV-SNP support through open-source tools like libvir

Vulnerability details: Researchers from ETHz reported that a malicious hypervisor could corrupt the Reverse Map Table (RMP) during Secure Nested Paging (SNP) initialization.

AMD reproduced the issue and determined it is due to a race condition that can occur while the AMD Secure Processor (ASP) is initializing the RMP. This attack could allow a malicious hypervisor to manipulate the initial RMP content, potentially resulting in loss of SEV-SNP guest memory integrity. AMD has released mitigations for this vulnerability.

Official announcement: Please see the link for details –

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3020.html

IoT, Potential Risk of CVE

CVE-2025-47347: Stack-based Buffer Overflow in Automotive Software platform based on QNX  (14-10-2025)

Leave a comment

Preface: QNX uses a 4KB page size by default for memory translation, where memory is organized into fixed-sized chunks called pages, which are the units the memory manager works with. However, newer versions of the QNX OS have introduced variable page sizes for improved performance, allowing for larger blocks of memory to be mapped with a single translation table entry instead of multiple 4KB entries, according to QNX. 

Background: Qualcomm embedded chips can run the QNX Hypervisor to securely virtualize multiple operating environments on a single System-on-Chip (SoC). This allows developers to consolidate different OSs, such as a functional safety OS for critical systems like driving and a less critical OS for infotainment, onto one processor. The QNX Hypervisor works by creating virtual machines (VMs) that execute directly on the physical CPU.

Vulnerability details: Memory corruption while processing control commands in the virtual memory management interface.

Ref: In QNX, if a thread is created without explicitly setting a stack size, it uses a default size (e.g., 256 KB on x86_64 and AArch64) with a guard page to detect overflows. But if the thread’s actual usage exceeds this size, and the guard page is bypassed or misconfigured (e.g., due to a bug in the memory management interface), it could lead to stack corruption.

Recommendations

  • Always explicitly set stack sizes for threads using pthread_attr_setstacksize() or pthread_attr_setstack() to ensure they are large enough for the thread’s workload.
  • Apply vendor patches addressing CVE-2025-47347 as soon as available.

Official announcement: Please see the link for details

https://nvd.nist.gov/vuln/detail/CVE-2025-47347

https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2025-bulletin.html

Potential Risk of CVE

The other side of CVE-2025-23309 (13th Oct 2025)

Leave a comment

Preface: When running Windows containers on a Windows host, here’s what happens –

Containers share the host kernel — unlike Linux containers on Linux, Windows containers rely on the Windows kernel and some host services.

Isolation is limited — Windows containers are isolated at the process level, but they can access some host resources, especially if configured with elevated privileges.

Background: DLL Search Order

When an application dynamically loads a DLL using functions like LoadLibrary or LoadLibraryEx without providing a complete path, Windows follows a predefined search order to locate the required DLL. This order typically includes:

  • The directory from which the application loaded.
  • The system directory (%SystemRoot%\system32).
  • The 16-bit system directory.
  • The Windows directory (%SystemRoot%).
  • The current working directory (CWD).
  • The directories listed in the PATH environment variable.

Vulnerability details: NVIDIA Display Driver contains a vulnerability where an uncontrolled DLL loading path might lead to arbitrary denial of service, escalation of privileges, code execution, and data tampering.

Supplement:

If a Windows container is configured to use the GPU and the vulnerable NVIDIA driver is present on the host:

DLL Hijacking Risk: If the container or its processes can influence the DLL search path (e.g., by setting the current working directory or placing files in directories searched first), it might be able to exploit the vulnerability.

Container Escape Potential: If the malicious DLL is loaded by a privileged process (e.g., one running as SYSTEM or with elevated rights), it could lead to privilege escalation or container escape.

Remark: Limited by Container Isolation: If the container is running with strict isolation and without elevated privileges or GPU access, the risk is significantly lower, but not zero — especially if the container can manipulate the environment in which the vulnerable driver operates.

To reduce risk (remedy):

Update the NVIDIA driver — Ensure the host is running a patched version that addresses CVE-2025-23309.

Restrict container privileges — Avoid running containers with elevated privileges or access to host directories.

Use absolute paths in DLL loading — If developing software inside containers, always use secure DLL loading practices.

Monitor container file systems — Prevent unauthorized DLLs from being placed in sensitive directories.

Official announcement: Please see the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5703

Network (Protocol, Topology & Standard), Potential Risk of CVE

CVE-2025-61910: about BPv7 protocol (9 Oct 2025)

Leave a comment

Preface: What is D3TN? In 2015, our company was founded under the name “FUSE” to offer dedicated software products for distributed systems. Due to our native interest in networking for challenged environments with an emphasis on space and underwater networks, we started focusing intensively on this field. In July 2018, we renamed the company D3TN, referring to our competences in so-called Delay- and Disruption-tolerant Networking (DTN) technologies. These technologies may be employed to render possible communication in the most challenging environments. We are experts in developing software and hardware solutions for this domain.

Background: The main purpose of NASA’s involvement in Bundle Protocol version 7 (BPv7) is to create a more robust, standard, and interoperable networking protocol for space exploration, enabling the Solar System Internet, lunar networks like LunaNet, and improving data return and communication reliability for all types of space missions. BPv7 builds upon BPv6 by adding essential features for network-layer functionality and standardized interfaces, addressing gaps in the previous standard and paving the way for future, complex space communication architectures.

BPv7 is used in Delay-Tolerant Networking (DTN), as it is the latest version of the Bundle Protocol (BP) and is being implemented in operational systems like the Interplanetary Overlay Network (ION). BPv7 is a more robust and standardized version of the Bundle Protocol (BP) that improves upon its predecessor, BPv6, and enables advanced functionalities like Bundle-in-Bundle Encapsulation (BIBE) to handle both versions concurrently.

Vulnerability details: CVE-2025-61910 state the following: The vulnerability seems to be due to processing the fifth element of the array (i.e., the byte string) as replacing it with a number makes the vulnerability no longer be triggered. While parsing this extension block, ION obtains a very large block length, which in the code in `bei.c`:764) seems to be passed from `blockLength` which is an unsigned int, to a 32 bit signed integer `blkSize`.

The unsigned to signed conversion causes `blkSize` to hold the value of -369092043, which is then converted into a 64-bit unsigned value inside `MTAKE(blkSize)`, resulting in an attempt to allocate an unrealistic amount of memory, causing the error.

Summary:

The CVE description is outdated in practice but accurate in terms of formal release status.

The fix exists in GitHub, but no patched release version has been tagged or published yet.

Users should manually apply the fix or monitor the repository for an official release.

Official announcement: Please see the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-61910

https://www.tenable.com/cve/CVE-2025-61910

Potential Risk of CVE

CVE-2025-61778 – About Akka.Remote from v1.2.0 to v1.5.51 (9th Oct 2025)

Leave a comment

Preface: Businesses that deploy Akka with .NET span industries like investment banking, retail, healthcare, and social media, and are often found in sectors requiring high-throughput, low-latency systems such as finance, e-commerce, and online gaming. Companies have used Akka.NET to build microservices, power AI solutions, and create resilient, scalable distributed systems that benefit from its actor-based model for fault tolerance and real-time responsiveness.

Background: Akka.NET is a .NET port of the original Akka project, which originated in the Scala/Java community. It provides an idiomatic .NET implementation of the Actor Model, enabling developers to build highly concurrent, distributed, and fault-tolerant systems using C# and F#.

In C# and F#, “System” typically refers to the System namespace, which is a fundamental part of the .NET Framework and .NET Core. This namespace provides access to core functionality that is essential for almost any .NET application, regardless of whether it’s written in C# or F#.

What Happens Due to the Flaw?

1-Malicious Client connects to the cluster over TLS.

2-Because client certificate validation is not enforced, the cluster accepts the connection.

3-The malicious client can:

Send spoofed messages to actors (e.g., fake orders).

Intercept or manipulate actor responses.

Disrupt trading logic or inject latency.

    Official announcement: Please see the link for details –

    https://www.tenable.com/cve/CVE-2025-61778

    https://getakka.net/articles/remoting/security.html

    Potential Risk of CVE

    CVE-2023-53616 – Published: 04-10-2025. Don’t despise design weaknesses from two years ago! (8th Oct 2025)

    Leave a comment

    Preface: Computing technology is advancing rapidly, and software development cycles are shrinking. Furthermore, these shorter-than-expected software development cycles are impacting vulnerability management cycles. Vulnerabilities discovered over a year ago might not be taken seriously. However, nothing in the digital world is completely secure. Therefore, it’s recommended not to ignore outdated CVE records. This topic focuses on a vulnerability discovered in December 2022. The submitter announced this vulnerability in September 2023. CVE-2023-53616 was finally published on October 4, 2025.

    This article also contains other perspectives. Please enjoy!

    Background: Journaled File System (JFS) is a 64-bit journaling file system created by IBM. There are versions for AIX, OS/2, eComStation, ArcaOS and Linux operating systems.

    If diUnmount() writes out the inode map and the filesystem is unmounted, shouldn’t that memory be safe from reuse by attackers? Especially since it’s in kernel space and requires root privileges?

    Here’s the key point:

    Yes, kernel memory is protected and not directly accessible from user space. However, vulnerabilities like this are dangerous even in kernel space, because:

    -Kernel code can be triggered indirectly by user actions (e.g., mounting/unmounting filesystems, accessing files).

    -If a stale inode structure remains in memory and is reused without proper reinitialization, it can lead to privilege escalation or data corruption.

    -Attackers with some level of access (e.g., via a compromised process or container) might exploit such bugs to gain full root access.

    Can ioctl Misuse Lead to Exploitation of This Vulnerability?

    Yes, absolutely. Misuse of ioctl (Input/Output Control) calls in kernel modules or drivers can be a vector for exploitation, especially when combined with vulnerabilities like the one in JFS_IP. Please see attached diagram for details.

    Official announcement: Please see the link for details –  

    https://www.tenable.com/cve/CVE-2023-53616

    Science

    Where did 3I/ATLAS come from? (7th Oct 2025)

    Leave a comment

    Preface: The WOW signal was detected at a frequency near the hydrogen line, around 1420 MHz. This specific frequency was favored by SETI researchers because it’s a “quiet” band of the electromagnetic spectrum, also known as the “water hole,” where transmissions are protected from terrestrial interference and are naturally emitted by the most common element in the universe, hydrogen.

    Background: Harvard astrophysicist Avi Loeb suggests the interstellar object 3I/ATLAS is in the same general direction as the 1977 Wow! Signal, with the two aligning within about 9 degrees. This proximity has led to speculation, including Loeb’s call for radio astronomers to investigate if 3I/ATLAS is emitting any signals, though there is currently no direct scientific evidence linking the two events.

    WOW signal –  This signal comes from the globular cluster M55 in Sagittarius.

    M55 – M55 is not a constellation, but a globular cluster located in the constellation Sagittarius. Also known as the Specter Cluster or NGC 6809, it is an ancient ball of over 100,000 stars, around 12.5 billion years old.

    From a scientific point of view, are there any questions?

    Spectroscopic analysis of interstellar comet 3I/ATLAS has revealed the presence of nickel atoms, but notably without iron, which is a puzzling and anomalous observation compared to typical comets from our solar system and even the previous interstellar visitor 2I/Borisov. This unusual nickel-to-iron ratio is significantly higher and suggests nickel is released via photochemical processes, possibly from nickel carbonyls, rather than from the high-temperature sublimation of dust grains that would typically release both metals together.

    Details provided by Professor LoebPlease see the link for details:

    https://avi-loeb.medium.com/why-is-the-orbital-plane-of-3i-atlas-inclined-by-5-degrees-relative-to-the-ecliptic-plane-3b07e5222bff

    AI and ML, Potential Risk of CVE

    CVE-2025-23272: About NVIDIA nvJPEG library (6th Oct 2025)

    Leave a comment

    Preface: The nvJPEG library provides low-latency decoding, encoding, and transcoding for common JPEG formats used in computer vision applications such as image classification, object detection and image segmentation.

    Background: The nvJPEG library enables the following functions: use the JPEG image data stream as input; retrieve the width and height of the image from the data stream, and use this retrieved information to manage the GPU memory allocation and the decoding.

    To use the nvJPEG library, start by calling the helper functions for initialization. Create nvJPEG library handle with one of the helper functions nvjpegCreateSimple() or nvjpegCreateEx() . Create JPEG state with the helper function nvjpegJpegStateCreate() . See nvJPEG Type Declarations and nvjpegJpegStateCreate() .

    The nvJPEG library provides high-performance, GPU accelerated JPEG decoding functionality for image formats commonly used in deep learning and hyperscale multimedia applications.

    Ref: Arrays in C/C++ are zero-indexed, meaning that if an array has `n` elements, valid indices range from `0` to `n-1`. Accessing an index outside this range leads to out-of-bounds access. Pointers in C/C++ provide direct memory manipulation capabilities, but this power comes with the risk of “out-of-bounds” access.

    Vulnerability details: NVIDIA nvJPEG library contains a vulnerability where an attacker can cause an out-of-bounds read by means of a specially crafted JPEG file. A successful exploit of this vulnerability might lead to information disclosure or denial of service.

    Official announcement: For more details, please click the link.

    https://nvd.nist.gov/vuln/detail/CVE-2025-23272