Monthly Archives: May 2026

Science

The Tang Dynasty understood the composition of the moon earlier than modern astronauts. (19th May 2026)

Leave a comment

Preface: This story, from *Youyang Zazu: Tianzhi* ((酉陽雜俎: 天咫), recounts how a Tang Dynasty scholar, lost in the Songshan Mountains (嵩山), encountered a “moon man 《修月人》” repairing the moon. The character describes the moon as a sphere composed of seven precious materials and suggests that the light and shadow on its surface are caused by the sun’s rays. He then gives the two scholars mysterious food and guides them on their way.

Background: The story’s protagonists are Zheng Renben’s (鄭仁本) cousin (Duan Chengshi (段成式)notes he forgot his name) and a scholar named Wang, not Duan Chengshi himself. • Plot Summary: The two get lost in Mount Song (嵩山) and encounter a white-clad man lying asleep in the grass, using a bundle as a pillow. Upon waking, the white-clad man claims to be one of the “Moon Repairers 《修月人》” and reveals the astonishing statement that “the moon is a sphere composed of seven treasures, and its light is produced by the sun illuminating its convex parts.”

Point of view: The Tang Dynasty (618–907 CE) concluded approximately 1,119 years ago as of 2026. How did they know that the moon was a sphere made of seven precious materials? People in the Middle Ages or ancient times generally believed that the Earth was flat, but educated people and scholars knew as early as ancient Greece (around the 5th to 3rd centuries BC) that the Earth was a sphere. This shows that no one knows the details of the moon.

From the Song Dynasty(宋代) to the Ming and Qing Dynasties(明清): Minor adjustments to the text rather than plot modifications. Song Dynasty(宋代)  scholars (such as when compiling the Taiping Guangji (太平天國光記)) widely quoted this passage. Subsequent Ming Dynasty(明代) editions, such as the Wang Shixian edition (王世賢本), the Mao Jin Jigu Pavilion edition(毛錦極閣本), and the Qing Dynasty Siku Quanshu edition 《清代四庫全書》, all preserved the core plot of this story without any alterations to the storyline.

These seven dominant elements, which make up about 98% to 99% of lunar rocks, include: 

  • Oxygen (41% – 45%)
  • Silicon
  • Aluminum
  • Calcium
  • Iron
  • Magnesium
  • Titanium 

The remaining 1% to 2% of the Moon’s surface material contains trace amounts of other elements like manganese, sodium, potassium, and phosphorus.

End of article

AI and ML, Cell Phone (iPhone, Android, windows mobile), IoT, Network (Protocol, Topology & Standard), Potential Risk of CVE

CVE-2026-46300 (Fragnesia) is a Linux kernel privilege escalation in the XFRM ESP-in-TCP subsystem. Does it affect GX-grade supercomputers? (18th May 2026)

Leave a comment

Preface: If BlueField DPU supports configuring IPsec rules using strongSwan 5.9.0bf, does it use kernel IPsec in ARM?

Yes, when using strongSwan 5.9.0bf on the BlueField DPU, it utilizes the Linux kernel IPsec stack (xfrm) running on the ARM cores to manage and configure security associations, which can then be offloaded to the hardware acceleration engines.

Background: The only scenario where a GPU or advanced SoC interacts with the Linux kernel’s XFRM subsystem is during IPsec Network Offloading (SmartNICs / DPUs).

If an enterprise SoC or Data Processing Unit (like an NVIDIA BlueField DPU) handles high-speed network traffic, the Linux XFRM subsystem can act as a control plane. It passes the encryption policies (SAs and SPIs) down to the chip’s network engine so that standard internet IPsec traffic can be encrypted at wire speed directly on the network interface card (NIC) hardware rather than taxing the main host CPU.

Vulnerability details: Fragnesia is a Linux local privilege escalation vulnerability that is a member of the Dirty Frag vulnerability class.

Are there any remedies available for CVE-2026-46300?

Patch Your Kernel:

Update your Linux kernel immediately. Patches were released by major distributions (AlmaLinux, Ubuntu, Red Hat, Debian, Amazon Linux) around May 14-16, 2026.

Apply Temporary Mitigation (If Patching is Delayed): Disable the vulnerable modules (esp4, esp6, and rxrpc) to block the exploit.Run: sudo rmmod esp4 esp6 rxrpcCreate blacklist file: echo -e “install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false” | sudo tee /etc/modprobe[.]d/fragnesia[.]conf

Clear Page Cache: If you suspect a machine was targeted before patching, run sync; echo 3 | sudo tee /proc/sys/vm/drop_caches to evict potentially corrupted cached pages.

Official announcement: Please refer to the link for details – https://github.com/v12-security/pocs/tree/main/fragnesia

AI and ML, Under our observation

A more imaginative assumption on TDXRay: Microarchitectural Side-Channel Analysis of Intel TDX for Real-World Workloads (15th MAY 2026)

Leave a comment

Preface: In these scenarios (see attached diagram), microarchitecture side-channel attacks targeting Intel TDX can directly impact and jeopardize the security of AMD accelerators.

Even though the AMD Instinct APU operates on a completely different silicon package, the two architectures are fundamentally tied together by a shared software stack, device driver interface, and physical interconnect fabric.

The specific risks regarding how TDXRay and cross-domain side-channel leakage bypass the hardware boundary in your diagram are detailed below:

Technical details:

1. Host-Side Driver Leakage (The Primary Target)

As illustrated in attached diagram, the ROCm Driver and HIP Runtime execute inside the Intel TDX Virtual Machine / Trust Domain.

•When primitives like those found in the TDXRay research paper (e.g., page-level or cache-line tracking) are utilized by an untrusted host hypervisor, they target the Intel CPU’s caches and memory controller.

•Because the Intel CPU must actively prepare, schedule, and feed data arrays (h_a, h_b) to the AMD accelerator, the memory access patterns of the ROCm driver itself are leaked.

•An attacker can infer exactly when the AMD kernel is being launched, what memory addresses are being mapped, and the size or stride of the datasets being transferred.

2. Interconnect Fabric Bottlenecks & Shared Cache Timing

The highlighted section in your diagram notes that memcpy can leak info via cache and memory controller interaction.

•During hipMemcpyHostToDevice or hipMemcpyDeviceToHost, data travels across the PCIe Gen 5 / CXL Interconnect Fabric.

•If a malicious actor on the host hypervisor induces resource contention on the shared Intel CPU core or memory bus, they can observe subtle latency shifts.

•By monitoring the timing delays of the Intel CPU waiting for the AMD APU to complete its tasks (hipDeviceSynchronize), the attacker can infer secret-dependent execution paths inside the AMD hardware without ever probing the AMD chip directly.

3. The Cross-Domain Threat Model (AMD SEV-SNP Parallel)

According to AMD’s Official Security Bulletin (AMD-SB-3044) published regarding the TDXRay findings, these types of microarchitectural host-side tracing methodologies fall within a category of behaviors that affect both Intel TDX and AMD SEV-SNP.

If an application leaks data structure layouts through its memory access patterns on the Intel host, the fact that the actual matrix operations happen on an AMD chip does not protect the workflow’s overall confidentiality.

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3044.html

Under our observation, Virus & Malware

Checkmarx Jenkins AST Plugin Compromised (14th May 2026)

Leave a comment

Preface: Jenkins’ popularity and its rich plugin ecosystem are the main reasons for integrating event monitoring tools with it. While there isn’t a single “API plugin,” Jenkins has a powerful built-in remote access API (supporting XML, JSON, and Python), which many external monitoring tools use to retrieve data.

Background: With its unparalleled flexibility, vast plugin ecosystem, and vendor neutrality, Jenkins remains the preferred tool for cloud applications, especially in DevOps environments. Despite the emergence of many newer cloud-native tools, Jenkins remains the preferred solution for complex, hybrid, or highly customized CI/CD pipelines.

The TanStack incident and the Checkmarx Jenkins AST plugin intrusion incident were actually part of a well-planned coordinated supply chain attack campaign by the same threat group, TeamPCP.

Security researchers from Wiz, Snyk, and Socket have dubbed this large-scale, multi-targeted attack campaign (expected to launch in May 2026) the “Mini Shai-Hulud” worm attack. While the two incidents targeted different environments and used different initial entry points, they both originated from the same threat group, malware family, infrastructure, and ultimate target.

Incident details: The previous version of the Checkmarx Jenkins AST plugin (specifically version 2026.5.09) was compromised as part of an ongoing supply chain attack by the threat actor group TeamPCP, following their earlier compromise of Checkmarx infrastructure in March 2026.

The attack appears to be another TeamPCP incident because the attackers used the same techniques—gaining unauthorized access to Checkmarx’s GitHub repositories—to inject credential-stealing “Dune-themed” malware, similar to the previous KICS and GitHub Actions attacks.

Official announcement: Please refer to the link for details. – https://checkmarx.com/blog/ongoing-security-updates/

Virus & Malware

Shai-Hulud operates as a multi-vector, self-propagating worm. It routinely changes its entry points to compromise environments. Stay vigilant! (14th May 2026)

Leave a comment

Preface: The TanStack incident was a highly sophisticated software supply-chain compromise that occurred on May 11, 2026. An attacker successfully hijacked TanStack’s legitimate GitHub Actions release pipeline to publish 84 malicious versions across 42 @tanstack/* npm packages, including widely used tools like @tanstack/react-router.

Background: Both @tanstack/react-router and @tanstack/react-query are client-side frontend libraries and K8s is a backend orchestration platform. In normal circumstances, Frontend applications running inside Kubernetes (K8s)-managed containers are typically containerized web assets (static files or server-side rendered apps) packaged with a lightweight web server (like Nginx or Apache). But @tanstack/react-router and @tanstack/react-query are highly relevant to building robust frontend applications that run inside a K8s-managed containerized. These tools handle frontend data fetching and routing, while Kubernetes manages the infrastructure, pods, and scaling of the APIs they consume. TanStack Query handles caching and server state synchronization, reducing unnecessary API calls to backend services running on K8s. You can call @tanstack/react-router and @tanstack/react-query part of a suite. They are core components of the TanStack suite, a collection of high-quality, open-source libraries designed for modern web development.

Incident details: A supply chain attack, dubbed as “Mini Shai-Hulud”, is affecting well-known projects including TanStack, Mistral AI, UiPath, and OpenSearch.

Official announcement: Please refer to the link for details – https://digital.nhs.uk/cyber-alerts/2026/cc-4781

AI and ML, Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2026-43284: Dirty Frag tricks the IPsec/TCP stack into doing the “dirty work”(13th May 2026)

Leave a comment

Preface: The “Dirty Frag” attack chains two separate flaws in the Linux kernel’s networking stack: one in the ESP(Encapsulating Security Payload) protocol used by IPsec and another in the RxRPC protocol used for the AFS distributed file system. If you do not use IPsec, disabling its modules removes one of the major attack paths.

Background: The “Dirty Frag” vulnerability is deemed difficult to patch immediately due to its exploitation of a long-standing core Linux kernel optimization, which initially lacked official, widespread patches upon disclosure. While disabling ESP modules helps, effective mitigation requires blacklisting both ESP and RxRPC modules, or patching the kernel directly.

How to mitigate vulnerabilities:

Step 1:Block the ESP and RxRPC modules: Create a configuration file (e.g., /etc/modprobe.d/dirtyfrag.conf) to ensure the modules cannot be auto-loaded by an exploit:

bash

install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false

Step 2:Unload current modules: Remove the modules if they are currently active in memory:

bash

sudo modprobe -r esp4 esp6 rxrpc
 

Step 3:Clear the Page Cache: The exploit works by corrupting the page cache. After applying the blocks, clear the cache to ensure no malicious changes persist in RAM:

bash

sudo sync && echo 3 | sudo tee /proc/sys/vm/drop_caches
 

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2026-43284

Cell Phone (iPhone, Android, windows mobile), Public safety

How can Apple meet requirements for lawful key escrow similar to those in Canada’s C-22 Act? (12th May 2026)

Leave a comment

Preface: Can we say that Apple’s iPhone is the most secure smartphone in the world? Yes, the Apple iPhone is widely considered the most secure mainstream smartphone for general users, largely due to its “walled garden” approach.

Background: As of May 2026, Canada’s proposed Bill C-22, the Lawful Access Act (2026), is currently being debated in the House of Commons. Apple Inc. has formally opposed the legislation, warning that it could legally compel the company to weaken encryption on its devices and build “backdoors” for government surveillance.

Point of view: Why the “Standard Procedure” Fails for Escrow?

The code provided (see attached diagram) is designed for user-controlled security, which is functionally opposite to government-authorized access:

  • Hardware Isolation: Refer to code, the private key is generated inside the Secure Enclave and never leaves it. It is physically impossible to “escrow” (copy and store elsewhere) a private key generated this way.
  • The “Encrypted Blob” Problem: Step 4 of code (privateKey.dataRepresentation) creates an encrypted reference to the key, not the key itself. This blob can only be decrypted by the same Secure Enclave that created it. To “escrow” this for the Canadian government, Apple would need to fundamentally redesign the SEP to allow external decryption—creating the very “systemic vulnerability” they are currently fighting in the House of Commons.

Headline news: Please refer to the link for details – https://www.cbc.ca/news/politics/apple-argues-liberals-lawful-access-bill-could-put-users-personal-data-at-risk-9.7190092

Potential Risk of CVE

CVE-2026-0300: Best practice guidelines remediate design weakness for PAN-OS software (11th May 2026)

Leave a comment

Preface: Nginx in PAN-OS assists in routing traffic to backend management components, such as those responsible for user authentication and Captive Portal functionality.

Background: Palo Alto Networks firewalls can intercept HTTP and HTTPS traffic from unauthenticated users and redirect them to an internal web server (the Authentication Portal) to collect credentials and establish a user-to-IP mapping.

This feature, now known as the Authentication Portal (formerly Captive Portal), is designed to enforce security policies based on user identity, particularly for guest or BYOD users.

Vulnerability details: A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines.

Why is CVE-2026-0300 Rated So High?

Even though it involves the User-ID Authentication Portal, which is not always internet-facing, it receives a near-perfect score because:

  • Unauthenticated Root Access: An attacker does not need to be an admin. They simply send specially crafted packets to the portal to trigger a buffer overflow.
  • Zero Interaction: The attack happens silently without any user having to click a link or log in.

High Impact: Once exploited, the attacker gains root control of the firewall. According to Unit 42, attackers have used this to enumerate Active Directory, steal credentials, and destroy logs.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2026-0300

Impacted Devices:

  • PA-Series and VM-Series firewalls.
  • Prisma Access and Cloud NGFW are reported to be unaffected

IoT, Potential Risk of CVE

CVE-2026-25293 – Incorrect authorization in PLC FW (7th May 2026)

Leave a comment

Preface: Qualcomm chipsets contain Powerline Communication (PLC) firmware features, particularly within their automotive and IoT-focused product lines designed for smart grid and electric vehicle (EV) charging.

Background: To implement write protection for SPI Flash, you generally need a combination of Hardware WP# pins and Software Status Register configurations.

The SPI Flash physical and software protection bits (BP bits / WP# pin) failed to provide a complete write-lock across the device lifecycle.

The threat model for CVE-2026-25293 usually assumes an attacker targets the PIB (Parameter Information Block):

•       Malicious PIB Modification: If WP is not active, an attacker can change MAC addresses or security keys in the PIB to conduct Man-in-the-Middle (MITM) attacks and steal charging credentials.

•       Persistent Backdoor: By overwriting sections of the NVM code (made possible because BP bits = 0), an attacker can implant a persistent backdoor that survives a reboot.

Vulnerability Details:

Title – Incorrect authorization in PLC FW

Description – Buffer overflow due to incorrect authorization in PLC FW

Technology Area – PLC FW

Vulnerability Type – CWE-863

Access Vector – Remote

Security Rating – Critical

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/securitybulletin/may-2026-bulletin.html

Remedy: The primary remedy is to update the affected PLC firmware to the latest version supplied by the vendor that specifically addresses this CVE.

IoT, Potential Risk of CVE

CVE-2026-25254: Improper authorization in Qualcomm Software Center (6th May 2026)

Leave a comment

Preface: Even though QSC is installed on your Windows or Linux PC, its primary mission is to manage the Linux operating system that lives on your Target Development Board. QSC v1.21.0 knows exactly how to handle projects based on “Long Term Support Kernels” and provides the specific tools and patches required for them.

Background: To enable this within your qsc-cli workspace, follow these steps to modify your build configuration:

Step 1. Log in to the CLI
bash

qsc-cli login -u <your_email_address>

Step 2. In the context of the Qualcomm QRB4210 (RB2) and the Qualcomm Linux SDK, “enabling the SocketIO interface” typically refers to configuring a high-speed communication transport layer used in the Robot Operating System (ROS) or for high-speed sensor data between subsystems.

To enable this within your qsc-cli workspace, follow these steps to modify your build configuration:

Step 3. Identify the Required Metadata Layer

Socket-based transport optimizations, such as QRB ROS transport for zero-copy message passing, are often contained in the Qualcomm Intelligent Robotics (QIRP) SDK layers. Ensure you have the meta-qcom-qirp (or similar) layer in your workspace

Step 4. Update your bblayers.conf

Step 5. Enable via Kernel Menuconfig (If Hardware Socket/Interface)

If you are referring to a specific hardware-backed socket interface (like a virtualized socket for a DSP or NPU), you may need to enable it in the kernel:

Enter your build environment via qsc-cli.

Run the devtool to modify the kernel configuration:

Bash

devtool menuconfig linux-qcom-base

Search (using /) for SOCKET or the specific interface driver name (e.g., AF_QIPCRTR for Qualcomm IPC Router sockets).

Set it to <*>

Vulnerability details: Improper authorization in Qualcomm Software Center

Description : Improper authorization leads to Remote Code Execution via SocketIO interface.

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/securitybulletin/may-2026-bulletin.html