Published: 2025-11-21

Preface: The “mach kernel” in iOS refers to the **Mach kernel component of the XNU hybrid kernel, which is the core of Apple’s iOS operating system. XNU is a hybrid kernel that merges the Mach microkernel with components from the BSD Unix system to create a single, cohesive kernel that runs iOS and other Apple operating systems like macOS. This kernel architecture applies to all current iOS versions and will continue to be used in future versions running on Apple Silicon.

Background: In Apple platforms, the thread_amount function calls task_threads (via Mach kernel APIs) which allocates memory for the thread list. iOS uses a hybrid kernel called XNU, which is an acronym for “X is Not Unix”. This kernel combines components of the Mach microkernel and the FreeBSD Unix kernel to form the core of Apple’s Darwin operating system, which underpins iOS, macOS, watchOS, and other Apple platforms.

Vulnerability details: thread-amount is a tool that gets the amount of threads in the current process. Prior to version 0.2.2, there are resource leaks when querying thread counts on Windows and Apple platforms. In Windows platforms, the thread_amount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count of the process to grow indefinitely, eventually leading to system instability or process termination when the handle limit is reached. In Apple platforms, the thread_amount function calls task_threads (via Mach kernel APIs) which allocates memory for the thread list. The function fails to deallocate this memory using vm_deallocate. Repeated calls will result in a steady memory leak, eventually causing the process to be killed by the OOM (Out of Memory) killer. This issue has been patched in version 0.2.2.

Official announcement: Please refer to the link for details –

https://www.tenable.com/cve/CVE-2025-65947

Preface: PLMNs are public networks, while private networks (NPNs) serve specific users (such as enterprises). SNPNs (Standalone NPNs) are completely independent, dedicated networks that do not rely on the functionality of public PLMNs.

Background: “Qualcomm Multi-Mode Call Processor” is a component of their Modem-RF system, which is a comprehensive 5G module-RF system designed to provide multi-band, multi-mode connectivity for various devices. These integrated solutions combine the cellular modem, RF transceiver, and RF front-end components to enable 5G, 4G LTE, and legacy cellular network support in a single, cohesive platform.

Each PLMN is identified by a PLMN ID, which includes a country code and mobile network code. The UE uses this ID to distinguish between different PLMNs.

Vulnerability details:

Title – Improper Validation of Array Index in Multi-Mode Call Processor

Description – Memory corruption while selecting the PLMN from SOR failed list.

Vulnerability Type – CWE-129 Improper Validation of Array Index

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html

Best Practices

• Always validate array indices before access.
• Use safer memory functions or wrappers that include bounds checking.
• Monitor heap usage and implement memory pressure handling routines.

NVD Published Date: 08/29/2025

NVD Last Modified: 08/29/2025

Preface: If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application.

Background: In the AndroidManifest.xml, components can declare the android:exported attribute. If this attribute is set to true (or implicitly true in older Android versions or without explicit declaration for components with intent filters), it allows other applications to launch or interact with that component. If this is not properly restricted, it can become a vulnerability.

Vulnerability details: See below –

CVE-2025-9671 (CVSS 5.3) UAB Paytend App (≤ 2.1.9)   

– Improper export of components via AndroidManifest.xml.

– Exploitable locally

– CWE-926

CVE-2025-9672 (CVSS 5.3)Rejseplanen App (≤ 8.2.2)

-Local attack exploiting exported components.     

-CWE-926

CVE-2025-9673 (CVSS 5.3) Kakao Hey Kakao App (≤ 2.17.4)

– Local manipulation of manifest leads to exposed components.

-CWE-926

CVE-2025-9674 (CVSS 5.3) Transbyte Scooper News App (≤ 1.2)

-Manifest misconfiguration allows component export.

-CWE-926

CVE-2025-9675 (CVSS 5.3) Voice Changer App (≤ 1.1.0)

-Local exploit due to improperly exported components.

-CWE-926

Official announcement: Please see the link for details

https://nvd.nist.gov/vuln/detail/CVE-2025-9671

https://nvd.nist.gov/vuln/detail/CVE-2025-9672

https://nvd.nist.gov/vuln/detail/CVE-2025-9673

https://nvd.nist.gov/vuln/detail/CVE-2025-9674

https://nvd.nist.gov/vuln/detail/CVE-2025-9675

Preface: PowerVR is a brand of graphics processing unit (GPU) IP ( intellectual property) developed by Imagination Technologies. In the context of Android, PowerVR GPUs are integrated into mobile System-on-Chips (SoCs) by various manufacturers, providing the graphics processing capabilities for Android devices. It’s a key competitor to Adreno (Qualcomm) and Mali (Arm) GPUs in the Android market.

Background: The Android SDK and Imagination’s PowerVR DDK are both software development kits, but they serve different purposes. The Android SDK is a comprehensive set of tools for developing Android applications, while the PowerVR DDK is a specialized kit for optimizing and integrating graphics rendering with Imagination Technologies’ PowerVR GPUs.

A DDK is a set of tools and libraries provided by an operating system vendor to facilitate the development of device drivers and kernel modules. Kernel modules are pieces of code that can be loaded into the operating system kernel at runtime, extending its functionality without requiring a full system reboot. This is common in Linux and Android kernel development.

The PowerVR DDK (Driver Development Kit) Native Lib C Framework refers to the foundational libraries and tools provided by Imagination Technologies to facilitate the development of graphics applications and drivers for systems utilizing PowerVR GPUs.

Vulnerability details: Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE).

• The scratch buffer (pui8FWScratchBuf) is used by the GPU firmware for temporary data.
• If this buffer is mapped or accessible from REE, malicious or compromised kernel software could read or overwrite data that should be protected within the TEE.

Official announcement: Please refer to the link for details

https://nvd.nist.gov/vuln/detail/CVE-2025-6573

Preface: The Valhall family of Mali GPUs uses the same top-level architecture as the previous generation Bifrost GPUs. The Valhall family uses a unified shader core architecture.

The Arm 5th generation GPU architecture, including the Immortalis and Mali GPUs, represents a modern design for mobile and other client devices.

Background: ioctl (Input/Output Control) is the primary syscall used by userspace GPU drivers to communicate with the kernel-space driver. It allows sending custom commands and structured data to the driver.

Typical ioctl operations in Mali drivers include:

• MALI_IOCTL_ALLOC_MEM: Allocate GPU-accessible memory
• MALI_IOCTL_FREE_MEM: Free previously allocated memory
• MALI_IOCTL_SUBMIT_JOB: Submit a GPU job (e.g., shader execution)
• MALI_IOCTL_WAIT_JOB: Wait for job completion
• MALI_IOCTL_MAP_MEM: Map memory to userspace

The path bifrost-drivers/driver/product/kernel/drivers/gpu/arm indicates that the code within this directory is part of the kernel-space drivers for Arm Mali Bifrost GPUs.

Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privileged user process to perform valid GPU processing operations, including via WebGL or WebGPU, to gain access to already freed memory.

Scope of impact: This issue affects Bifrost GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r51p0; Valhall GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0.

Official announcement: Please see the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-0932

https://developer.arm.com/documentation/110626/latest

Ref: Typo, attached code is free after use, is part of the remedy. The use after free not shown.

Preface: In essence, built-in browsers are not just about browsing; they are about maintaining control over the core functionality and user experience of the operating system.

Background: Safari and Edge, while built-in, utilize rendering engines derived from the KHTML project, specifically WebKit and Blink, respectively. WebKit is used in Safari, and Blink, a fork of WebKit, powers the Chromium-based Edge. These engines are not just for browsing; they handle the visual rendering of web content within the browser.

In Safari and Edge, the rendering engines (WebKit for Safari and Chromium for Edge) initially interact with the networking component to fetch the necessary resources for a webpage. This workflow prioritizes efficient data retrieval, enabling the browser to display content to the user as quickly as possible.

Safari’s rendering engine, WebKit, is developed and maintained by Apple, according to Apple. WebKit is an open-source project that was originally forked from KDE’s KHTML and KJS engines. Safari is a web browser developed by Apple and is the default browser on macOS, iOS, iPadOS, and visionOS.

Vulnerability details: An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.6, iPadOS 17.7.9, iOS 18.6 and iPadOS 18.6, tvOS 18.6, macOS Sonoma 14.7.7, watchOS 11.6, visionOS 2.6, macOS Ventura 13.7.7. Processing maliciously crafted web content may lead to an unexpected Safari crash.

Ref: Out-of-Bounds Read (e.g., CVE-2025-43209)

-Reads memory outside the allocated buffer.

-Can leak: Pointers (used to bypass ASLR) or Object metadata (used for type confusion).

-Often used as a first stage in a multi-step exploit.

Official announcement: Please refer to the link for details https://nvd.nist.gov/vuln/detail/CVE-2025-43209