Category Archives: Cell Phone (iPhone, Android, windows mobile)

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

A quick look at branch predictor isolation in KVM-QEMU

Leave a comment

Preface: AMD SoCs can have KVM virtualization for embedded multicore systems, especially with ARM-based architectures, as KVM supports various architectures including ARM and has been adapted for embedded platforms. While KVM was initially designed for Intel and AMD x86 processors, its flexibility and portability allowed for ports to the ARM architecture, making it suitable for embedded multicore SoCs.

Ref: The AMD Zen5 branch predictor is a major update for the Zen family, featuring a new “two-ahead” design that allows it to predict up to two branches per clock cycle, a significant increase from the previous “one-ahead” limit.

Background: Any modern 64-bit AMD processor with AMD-V (SVM) virtualization support can utilize KVM-QEMU for virtualization, as KVM is integrated into the Linux kernel and requires only these hardware extensions for acceleration. To use KVM, you need to ensure AMD-V is enabled in your system’s firmware (BIOS/UEFI) and that your Linux distribution’s kernel and QEMU packages are installed and configured.

The branch predictor is a hardware component located within the processor that stores prediction data internally to improve performance by guessing the outcome of conditional branches.

It uses Branch History Buffers (BHT) and Branch Target Buffers (BTB) to keep track of past branch outcomes and the addresses of the branch targets, respectively, which are small, fast on-chip structures, not part of the main memory system.

Vulnerability details: Researchers from ETH Zurich discovered that incomplete isolation of the branch predictor state in AMD CPUs (Zen 1–5) allows a malicious guest VM to influence indirect branch prediction in the host, specifically in user-space components like QEMU.

The attack, named VMSCAPE, enables a guest VM to leak memory from the host QEMU process at a rate of 32 bytes/sec, including sensitive data like disk encryption keys.

Official announcement: For details, please refer to the link – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7046.html

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-21484: About Qualcomm – Enhanced Validation of Array Index in Multi-Mode Call Processor (8th Sep 2025)

Leave a comment

Preface: PLMNs are public networks, while private networks (NPNs) serve specific users (such as enterprises). SNPNs (Standalone NPNs) are completely independent, dedicated networks that do not rely on the functionality of public PLMNs.

Background: “Qualcomm Multi-Mode Call Processor” is a component of their Modem-RF system, which is a comprehensive 5G module-RF system designed to provide multi-band, multi-mode connectivity for various devices. These integrated solutions combine the cellular modem, RF transceiver, and RF front-end components to enable 5G, 4G LTE, and legacy cellular network support in a single, cohesive platform.

Each PLMN is identified by a PLMN ID, which includes a country code and mobile network code. The UE uses this ID to distinguish between different PLMNs.

Vulnerability details:

Title – Improper Validation of Array Index in Multi-Mode Call Processor

Description – Memory corruption while selecting the PLMN from SOR failed list.

Vulnerability Type – CWE-129 Improper Validation of Array Index

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html

Best Practices
  • Always validate array indices before access.
  • Use safer memory functions or wrappers that include bounds checking.
  • Monitor heap usage and implement memory pressure handling routines.

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-9671 through CVE-2025-9675 are related to AndroidManifest[.]xml. Are they dangerous? (3rd Sep 2025)

Leave a comment

NVD Published Date: 08/29/2025

NVD Last Modified: 08/29/2025

Preface: If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application.

Background: In the AndroidManifest.xml, components can declare the android:exported attribute. If this attribute is set to true (or implicitly true in older Android versions or without explicit declaration for components with intent filters), it allows other applications to launch or interact with that component. If this is not properly restricted, it can become a vulnerability.

Vulnerability details: See below –

CVE-2025-9671 (CVSS 5.3) UAB Paytend App (≤ 2.1.9)   

– Improper export of components via AndroidManifest.xml.

– Exploitable locally

– CWE-926

CVE-2025-9672 (CVSS 5.3)Rejseplanen App (≤ 8.2.2)

-Local attack exploiting exported components.     

-CWE-926

CVE-2025-9673 (CVSS 5.3) Kakao Hey Kakao App (≤ 2.17.4)

– Local manipulation of manifest leads to exposed components.

-CWE-926

CVE-2025-9674 (CVSS 5.3) Transbyte Scooper News App (≤ 1.2)

-Manifest misconfiguration allows component export.

-CWE-926

CVE-2025-9675 (CVSS 5.3) Voice Changer App (≤ 1.1.0)

-Local exploit due to improperly exported components.

-CWE-926

Official announcement: Please see the link for details

https://nvd.nist.gov/vuln/detail/CVE-2025-9671

https://nvd.nist.gov/vuln/detail/CVE-2025-9672

https://nvd.nist.gov/vuln/detail/CVE-2025-9673

https://nvd.nist.gov/vuln/detail/CVE-2025-9674

https://nvd.nist.gov/vuln/detail/CVE-2025-9675

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-6573: About Imagination’s PowerVR DDK (12th AUG 2025)

Leave a comment

Preface: PowerVR is a brand of graphics processing unit (GPU) IP ( intellectual property) developed by Imagination Technologies. In the context of Android, PowerVR GPUs are integrated into mobile System-on-Chips (SoCs) by various manufacturers, providing the graphics processing capabilities for Android devices. It’s a key competitor to Adreno (Qualcomm) and Mali (Arm) GPUs in the Android market.

Background: The Android SDK and Imagination’s PowerVR DDK are both software development kits, but they serve different purposes. The Android SDK is a comprehensive set of tools for developing Android applications, while the PowerVR DDK is a specialized kit for optimizing and integrating graphics rendering with Imagination Technologies’ PowerVR GPUs.

A DDK is a set of tools and libraries provided by an operating system vendor to facilitate the development of device drivers and kernel modules. Kernel modules are pieces of code that can be loaded into the operating system kernel at runtime, extending its functionality without requiring a full system reboot. This is common in Linux and Android kernel development.

The PowerVR DDK (Driver Development Kit) Native Lib C Framework refers to the foundational libraries and tools provided by Imagination Technologies to facilitate the development of graphics applications and drivers for systems utilizing PowerVR GPUs.

Vulnerability details: Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE).

  • The scratch buffer (pui8FWScratchBuf) is used by the GPU firmware for temporary data.
  • If this buffer is mapped or accessible from REE, malicious or compromised kernel software could read or overwrite data that should be protected within the TEE.

Official announcement: Please refer to the link for details

https://nvd.nist.gov/vuln/detail/CVE-2025-6573

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-0932: Arm fixes userspace vulnerability in Mali GPU driver (8th Aug 2025)

Leave a comment

Preface: The Valhall family of Mali GPUs uses the same top-level architecture as the previous generation Bifrost GPUs. The Valhall family uses a unified shader core architecture.

The Arm 5th generation GPU architecture, including the Immortalis and Mali GPUs, represents a modern design for mobile and other client devices.

Background: ioctl (Input/Output Control) is the primary syscall used by userspace GPU drivers to communicate with the kernel-space driver. It allows sending custom commands and structured data to the driver.

Typical ioctl operations in Mali drivers include:

  • MALI_IOCTL_ALLOC_MEM: Allocate GPU-accessible memory
  • MALI_IOCTL_FREE_MEM: Free previously allocated memory
  • MALI_IOCTL_SUBMIT_JOB: Submit a GPU job (e.g., shader execution)
  • MALI_IOCTL_WAIT_JOB: Wait for job completion
  • MALI_IOCTL_MAP_MEM: Map memory to userspace

The path bifrost-drivers/driver/product/kernel/drivers/gpu/arm indicates that the code within this directory is part of the kernel-space drivers for Arm Mali Bifrost GPUs.

Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privileged user process to perform valid GPU processing operations, including via WebGL or WebGPU, to gain access to already freed memory.

Scope of impact: This issue affects Bifrost GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r51p0; Valhall GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0.

Official announcement: Please see the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-0932

https://developer.arm.com/documentation/110626/latest

Ref: Typo, attached code is free after use, is part of the remedy. The use after free not shown.

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-43209: Processing maliciously crafted web content may lead to an unexpected Safari crash (31-07-2025)

Leave a comment

Preface: In essence, built-in browsers are not just about browsing; they are about maintaining control over the core functionality and user experience of the operating system.

Background: Safari and Edge, while built-in, utilize rendering engines derived from the KHTML project, specifically WebKit and Blink, respectively. WebKit is used in Safari, and Blink, a fork of WebKit, powers the Chromium-based Edge. These engines are not just for browsing; they handle the visual rendering of web content within the browser.

In Safari and Edge, the rendering engines (WebKit for Safari and Chromium for Edge) initially interact with the networking component to fetch the necessary resources for a webpage. This workflow prioritizes efficient data retrieval, enabling the browser to display content to the user as quickly as possible.

Safari’s rendering engine, WebKit, is developed and maintained by Apple, according to Apple. WebKit is an open-source project that was originally forked from KDE’s KHTML and KJS engines. Safari is a web browser developed by Apple and is the default browser on macOS, iOS, iPadOS, and visionOS.

Vulnerability details: An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.6, iPadOS 17.7.9, iOS 18.6 and iPadOS 18.6, tvOS 18.6, macOS Sonoma 14.7.7, watchOS 11.6, visionOS 2.6, macOS Ventura 13.7.7. Processing maliciously crafted web content may lead to an unexpected Safari crash.

Ref: Out-of-Bounds Read (e.g., CVE-2025-43209)

-Reads memory outside the allocated buffer.

-Can leak: Pointers (used to bypass ASLR) or Object metadata (used for type confusion).

-Often used as a first stage in a multi-step exploit.

Official announcement: Please refer to the link for details https://nvd.nist.gov/vuln/detail/CVE-2025-43209

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2025-21432: Double Free in SPS-HLOS (8th July 2025)

Leave a comment

Preface: Concise Binary Object Representation (CBOR) is a binary data serialization format loosely based on JSON authored by Carsten Bormann. The use of Concise Binary Object Representation (CBOR) in SPS HLOS (and other constrained environments) is primarily due to its ability to provide a compact, efficient, and extensible binary data format. This makes it suitable for resource-constrained devices and networks, where bandwidth and processing power are limited. 

Background: In Adreno GPUs, SPS (Shader Processors) HLOS refers to a specific architecture or organization within the GPU where Shader Processors are grouped and managed. “HLOS” likely stands for “High Level Operating System”, indicating that these SPS are managed by the system’s main operating system (like Android) rather than being directly controlled by the GPU’s internal firmware. This means the CPU and operating system handle the overall workload and scheduling for these shader processors.

Ref: CBOR data, from the perspective of a Transfer Agent (TA), refers to data formatted using the Concise Binary Object Representation (CBOR) standard, likely used for efficient and compact representation of information related to financial transactions or other assets managed by the TA. 

Vulnerability details: Memory corruption while retrieving the CBOR data from TA (Transfer Agent).

Summary:

Component – Qualcomm Adreno GPU (Graphics Driver)

Vulnerability Type – Double Free / Memory Corruption

Trigger – Occurs during CBOR data retrieval from shader memory by the Transfer Agent (TA).

Affected Subsystem: SPS-HLOS (Shader Processor System managed by High-Level OS)

Impact:

Double free condition in shared memory buffers.

Potential for arbitrary code execution or privilege escalation.

Exploitable via crafted GPU workloads or malicious apps using OpenCL/Vulkan.

Official announcement: Please see the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2025-bulletin.html

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2025-21450: Improper Authentication in GPS GNSS (7th July 2025)

Leave a comment

Preface:

GNSS – This is a global term encompassing all satellite constellations that provide positioning, navigation, and timing (PNT) services. Besides GPS, other GNSS include GLONASS (Russia), Galileo (EU), and BeiDou (China).

GPS – The Global Positioning System, developed by the US Department of Defense, is the most widely recognized and used GNSS. It was the first global satellite navigation system and has become a household term.

Background: A GPS/GNSS receiver can be considered the client in a similar way to an IoT device or smartphone, particularly when used for location-based services. GPS/GNSS receivers require cryptographic downloads, specifically key material and potentially software updates, to enable authentication and anti-spoofing features. These features ensure the integrity and authenticity of the received signals, protecting against malicious attacks like spoofing where fake signals mimic legitimate satellites.

Ref: The GPS module in the Snapdragon 8 Gen 3 is integrated within the Snapdragon X75 5G Modem-RF System. The X75 is a comprehensive modem-RF solution that includes not only 5G capabilities but also other wireless technologies like Wi-Fi, Bluetooth, and location services like GPS. This integration allows for efficient and high-performance location tracking and navigation on devices powered by the Snapdragon 8 Gen 3.

Vulnerability details: Cryptographic issue occurs due to use of insecure connection method while downloading.

Vulnerability Type: CWE-287 Improper Authentication

Official announcement: Please see the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2025-bulletin.html

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), Potential Risk of CVE

CVE-2025-44952: About Open5GS (19-6-2025)

Leave a comment

Preface: Open5GS is a popular open-source 5G core network (5GC) implementation, particularly among researchers and those building private 5G networks. It’s recognized as one of the leading open-source 5GC projects. Open5GS is known for its adherence to 3GPP standards and its mature development, making it suitable for various applications like testbeds, research, and even some deployments

Background: The PFCP library refers to a software component, often implemented in programming languages like Go, designed to support the Packet Forwarding Control Protocol (PFCP). PFCP is a signaling protocol used in mobile core networks, particularly in the context of Control and User Plane Separation (CUPS) within 4G and 5G architectures. It enables communication between control plane elements (like the Session Management Function or SMF) and user plane elements (like the User Plane Function or UPF). PFCP is used by network equipment (like 5G base stations and core network elements) to manage data forwarding.

Vulnerability details: A missing length check in `ogs_pfcp_subnet_add` function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the `session.dnn` field with a value with length greater than 101.

Comment: The developer added the strcpy block as a new logic to handle the DNN field. If the patch doesn’t include bounds checking, it introduces a new vulnerability.

Suggestion: the strcpy should be replaced with a safe alternative.

Official announcement: Please refer to the supplier announcement –

https://nvd.nist.gov/vuln/detail/CVE-2025-44952

AI and ML, Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2025-2884 – Design weakness in the Trusted Platform Module (TPM) 2.0 reference implementation code. (11th June 2025)

Leave a comment

Preface: The main difference between AMD’s Trusted Platform Module (TPM) and those from other manufacturers , how it’s implemented: AMD offers a firmware TPM (fTPM), while many other manufacturers, including Intel, also offer a dedicated hardware TPM (dTPM).

Background: TPM refers to a Trusted Platform Module, which is a specialized chip that securely stores cryptographic keys used for encryption and decryption, enhancing overall system security. AMD’s approach often involves Firmware TPM (fTPM), also known as Intel’s Platform Trust Technology (PTT), which implements TPM functionality within the system’s firmware rather than using a dedicated physical chip.

The AMD Ryzen Embedded 7000 series processors indeed integrate advanced security features, including:

  • AMD Secure Processor (ASP): A dedicated security co-processor embedded directly into the CPU die.
  • Firmware TPM (fTPM): Implemented in firmware and runs on the ASP.
  • Microsoft Pluton: A hardware-based security processor integrated into the silicon, designed to work alongside ASP and fTPM for enhanced protection.

Ref: The most common TPM is the TPM function supported by the Trusted Execution Environment (TEE) of Intel Core i series or AMD Ryzen series CPU in the motherboard UEFI firmware. fTPM can be used in all processors after Intel Broadwell (5th generation) and AMD Ryzen series. This is the most common method because you can easily use the TPM function without purchasing a separate module.

Vulnerability details: An out-of-bounds read vulnerability exists in TPM2.0’s Module Library allowing a read past the end of a TPM2.0 routine as described above. An attacker who can successfully exploit this vulnerability can read sensitive data stored in the TPM and/or impact the availability of the TPM.

Official announcement: Please see the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4011.html