Category Archives: Cell Phone (iPhone, Android, windows mobile)

CVE-2026-25268: Stack-based Buffer Overflow in WLAN Host  (8th Jul 2026)

Preface: The vulnerability’s entry point: The memory corruption in the Qualcomm driver is not caused by parsing Radiotap, but rather by the driver parsing invalid HT40 channel layout elements (HT Capabilities / HT Operation IEs) carried in 802.11 management frames (such as Beacon, Probe Response, or Channel Switch Announcement) sent from the remote base station (AP).

Background: The qcacld (Qualcomm Atheros Closed Source / Prima WLAN Driver) is exactly the WLAN host driver for Qualcomm-based wireless chips. It runs on the main operating system and manages the Wi-Fi hardware, translating between the OS network stack and the firmware on the wireless module.

The qcacld (specifically qcacld-2.0 or qcacld-3.0) codebase handles everything related to wireless connections, including supplicant communication, 802.11 association, and radio management. It works alongside the chip-specific firmware (e.g., WCNSS) and hardware configuration files (like qca_cld/WCNSS_qcom_cfg[.]ini) to ensure proper Wi-Fi and Bluetooth coexistence.

Vulnerability details: CVE-2026-25268 is a memory corruption vulnerability (stack-based buffer overflow) affecting WLAN host drivers. It is triggered during dynamic channel switching operations when the system improperly processes invalid HT40 (High Throughput 40MHz) channel layouts.

Core Technical Details

  • CWE Identifier: CWE-119 (Memory Corruption / Buffer Overflow)
  • CVSS Severity: High (8.8)
  • Vector: Local network
  • Impact: Allows for the corruption of memory, which can lead to application crashes, system instability, or potential arbitrary code execution.

Affected Systems

This flaw specifically impacts Wi-Fi/WLAN host driver components and has been documented in major hardware vendors such as Qualcomm.

Mitigation

Because this flaw is usually tied to vendor-specific firmware or driver code, the primary path to remediation involves patching your wireless infrastructure or devices.

  1. Apply Manufacturer Updates: Monitor your vendor’s security bulletins for firmware upgrades that address this issue.
  2. Consult Vendor Advisories: Review the relevant official updates, such as the Qualcomm Security Bulletin, to identify the specific patched driver versions for your affected hardware.
  3. Network Isolation: Until patches can be deployed, consider isolating potentially vulnerable wireless devices from critical network segments to limit your attack surface.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2026-bulletin.html

CVE-2025-48595 – Integer Overflow (CWE-190) in the Android Framework, affecting API and system services. (9th June 2026)

Preface: The “2025” in the CVE ID means the vulnerability was first discovered, reported, or reserved in 2025. Why Critical Vulnerabilities “Stay Silent”? If a zero-day is announced before a patch exists, every hacker in the world learns exactly how to exploit millions of devices. Keeping it confidential gives engineers time to build and test a fix. Companies like Google typically get 90 days from private discovery to patch a flaw. If a flaw is highly complex or found late in 2025, the timeline naturally pushes the patch and public announcement into 2026.

Background: To understand how the Android Java API framework abstracts low-level Linux kernel operations without manually tracking byte allocation, you need to use Java Native Interface (JNI) or Foreign Function & Memory API (Project Panama) to wrap native file systems and system calls (like open, read, ioctl, or tracking /proc/ entries) into high-level Java objects.

In the Android Java API framework, graphical and shared hardware memory allocation is managed via subsystems like android.hardware or android.graphics. While the framework defines dimensions in Java objects, it relies on underlying native Linux kernel layers (like ION or DMA-BUF) for physical memory mapping, creating critical dependency boundaries.

The Vulnerable Mechanism (see diagram – point 2)

The emulated code snippet (AndroidHardwareBufferEmulation) captures the exact boundary risk:

•               Java-to-Native Delegation: Java code frequently acts as a controller that forwards sizing metrics (width, height, formatFlags) down to underlying native C++ buffers (like /dev/ion or dma_buf).

•               Trusting Input Sizing: If the Java side does not perform strict bounds checking on these dimensions before asking the native layer to handle them, it sets the stage for an exploit.

Vulnerability details: In multiple locations, there is a possible way to achieve code execution due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-48595

Recommended Actions – Update Android Devices: Immediately check for and install the June 2026 Android security patch level (2026-06-01 or 2026-06-05) via Settings > System > System update.

Security Focus : MacOS Tahoe versions 26.1 and 26.2: About spanning sandbox escapes (BackBoardServices)  – 8th June 2026

Preface: MacOS Tahoe (version 26, specifically updates 26.1 and 26.2 released in late 2025) is designed for a broad range of Apple Silicon and select Intel-based Mac computers. Key Supported Apple Products (as of late 2025/early 2026) includes MacBook Neo (2026), MacBook Air, MacBook Pro, iMac: 2020 and later models, Mac mini 2020 and later models, Mac Studio 2022 and later models, Mac Pro 2019 and later models. However, on June 2, 2026, Apple released an update; it is version 26.5.1 (25F80).

Background: There is no public code for processing BackBoardServices within an App Sandbox. BackBoardServices is a private, internal Apple framework (like SpringBoard) primarily used for system-level daemon communication (e.g., backboardd). Sandboxed apps are explicitly denied access to these services due to security and privacy restrictions.

Attempting to call these private methods will result in immediate Sandbox: deny(1) errors in your Console logs. While accessing BackBoardServices is not feasible for standard applications, developers typically utilize the Objective-C runtime and XPC to interact with it for jailbreak tweaks or security research.

Ref: BackBoardServices is an internal Apple framework responsible for handling low-level hardware input events (such as touches, clicks, and device orientation) and managing system power. It requires a sandbox in macOS for two primary reasons: privilege isolation and user privacy protection.

Technical details: Based on the information provided regarding the macOS Tahoe 26.5.1 (25F80) release on June 2, 2026, it is not uncommon for minor revision updates (dot-dot releases) to be released without dedicated CVE entries if they contain only stability improvements, bug fixes, or non-security-related code changes.

Apple has addressed critical BackBoardServices spanning sandbox escapes in older, supported iterations of Tahoe (such as 26.1 and 26.2). Sandbox escape found. It allow unauthorized applications to bypass Apple’s security sandbox, potentially gaining access to sensitive user data or system resources.

Remedy: If you are using devices running 26.1 or 26.2, it is highly recommended to update to the latest available version (26.5.1) to secure these vulnerabilities.

MacOS Tahoe 26.5.1 (Build 25F80) update on 2nd June 2026. The walled garden tells you something. (5th June 2026)

Preface: Apple does not officially describe itself as a “walled garden.” Instead, that term is used by analysts, journalists, and critics to describe Apple’s tightly controlled ecosystem, where hardware, software, and services are designed to work together exclusively.

Background: Why Network Extensions Crashed M5 Macs?

This internal memory filtering is precisely why traditional network content filters caused M5 Macs to crash prior to the macOS Tahoe 26.5.1 update.

Network filtering apps monitor deep kernel-level web traffic, meaning they constantly look at low-level system memory. Older iterations of these network extensions were attempting to read raw packet data in unified memory using pointers that lacked the strict, hardware-enforced M5 cryptographic tags. The M5 chip assumed a cyberattack was underway and instantly shut the entire computer down to maintain total data confidentiality.

How MIE Filters Memory Inside the M5 Silicon

Traditional operating systems rely entirely on software code to ensure one app does not touch another app’s memory data. MIE shifts this burden entirely to physical chip components. It is built upon ARM’s Enhanced Memory Tagging Extension (EMTE) operating in a strict, performance-optimized “synchronous mode”.

Information Details: The macOS Tahoe 26.5.1 (Build 25F80) update, released on June 2, 2026, focuses on enterprise fixes rather than (published) CVE security vulnerabilities. It resolves an issue causing unexpected shutdowns on M5 Macs when utilizing specific content-filtering network extensions.

Details of the 26.5.1 (25F80) Update:

  • Release Date: June 2, 2026
  • Published CVEs: None

Primary Fix: Addressed a critical issue for enterprise users where Macs featuring the M5 chip would abruptly shut down when handling certain content-filtering network extensions.

Ref: The macOS Tahoe 26.5.1 (Build 25F80) update, released on June 2, 2026, focuses on enterprise fixes rather than (published) CVE security vulnerabilities.

About other updates coming at the same time: macOS 26.5.1: Build 25F80 iOS 26.5.1 / iPadOS 26.5.1: Build 23F81

End of article.

CVE-2026-28972: A true kernel dangling pointer or out-of-bounds write typically arises from logic flaws within the kernel’s own resource management subsystems. (25th May 2026)

Preface: In iOS, the microkernel component (Mach) does not communicate with user space from a separate address space. Instead, it communicates directly within a unified kernel space alongside monolithic components, bypassing the traditional performance costs of a pure microkernel.

While iOS runs on an ARM-based architecture (Apple Silicon), its operating system core, XNU (“X is Not Unix”), is a hybrid kernel. It integrates the Mach microkernel with a monolithic BSD layer and the I/O Kitdriver framework into a single, highly privileged address space. 

Background: If a specific, complex code path inside a kernel subsystem utilizes an object but contains a logic error that forgets to call the appropriate reference increment function (e.g., ipc_port_reference()), the reference count drops to zero prematurely when another thread requests a deletion.

The Result: The kernel safely deletes the object according to its counters, but the flawed subsystem still holds a raw C pointer to that memory address. When the subsystem eventually attempts to write data to that pointer, it performs an out-of-bounds write into memory that may now contain entirely different data.

Vulnerability details: An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination or write kernel memory.

Official announcement: Please refer to the link for details – https://www.cve.org/CVERecord?id=CVE-2026-28972

CVE-2026-46300 (Fragnesia) is a Linux kernel privilege escalation in the XFRM ESP-in-TCP subsystem. Does it affect GX-grade supercomputers? (18th May 2026)

Preface: If BlueField DPU supports configuring IPsec rules using strongSwan 5.9.0bf, does it use kernel IPsec in ARM?

Yes, when using strongSwan 5.9.0bf on the BlueField DPU, it utilizes the Linux kernel IPsec stack (xfrm) running on the ARM cores to manage and configure security associations, which can then be offloaded to the hardware acceleration engines.

Background: The only scenario where a GPU or advanced SoC interacts with the Linux kernel’s XFRM subsystem is during IPsec Network Offloading (SmartNICs / DPUs).

If an enterprise SoC or Data Processing Unit (like an NVIDIA BlueField DPU) handles high-speed network traffic, the Linux XFRM subsystem can act as a control plane. It passes the encryption policies (SAs and SPIs) down to the chip’s network engine so that standard internet IPsec traffic can be encrypted at wire speed directly on the network interface card (NIC) hardware rather than taxing the main host CPU.

Vulnerability details: Fragnesia is a Linux local privilege escalation vulnerability that is a member of the Dirty Frag vulnerability class.

Are there any remedies available for CVE-2026-46300?

Patch Your Kernel:

Update your Linux kernel immediately. Patches were released by major distributions (AlmaLinux, Ubuntu, Red Hat, Debian, Amazon Linux) around May 14-16, 2026.

Apply Temporary Mitigation (If Patching is Delayed): Disable the vulnerable modules (esp4, esp6, and rxrpc) to block the exploit.Run: sudo rmmod esp4 esp6 rxrpcCreate blacklist file: echo -e “install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false” | sudo tee /etc/modprobe[.]d/fragnesia[.]conf

Clear Page Cache: If you suspect a machine was targeted before patching, run sync; echo 3 | sudo tee /proc/sys/vm/drop_caches to evict potentially corrupted cached pages.

Official announcement: Please refer to the link for details – https://github.com/v12-security/pocs/tree/main/fragnesia

CVE-2026-43284: Dirty Frag tricks the IPsec/TCP stack into doing the “dirty work”(13th May 2026)

Preface: The “Dirty Frag” attack chains two separate flaws in the Linux kernel’s networking stack: one in the ESP(Encapsulating Security Payload) protocol used by IPsec and another in the RxRPC protocol used for the AFS distributed file system. If you do not use IPsec, disabling its modules removes one of the major attack paths.

Background: The “Dirty Frag” vulnerability is deemed difficult to patch immediately due to its exploitation of a long-standing core Linux kernel optimization, which initially lacked official, widespread patches upon disclosure. While disabling ESP modules helps, effective mitigation requires blacklisting both ESP and RxRPC modules, or patching the kernel directly.

How to mitigate vulnerabilities:

Step 1:Block the ESP and RxRPC modules: Create a configuration file (e.g., /etc/modprobe.d/dirtyfrag.conf) to ensure the modules cannot be auto-loaded by an exploit:

bash

install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false

Step 2:Unload current modules: Remove the modules if they are currently active in memory:

bash

sudo modprobe -r esp4 esp6 rxrpc
 

Step 3:Clear the Page Cache: The exploit works by corrupting the page cache. After applying the blocks, clear the cache to ensure no malicious changes persist in RAM:

bash

sudo sync && echo 3 | sudo tee /proc/sys/vm/drop_caches
 

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2026-43284

How can Apple meet requirements for lawful key escrow similar to those in Canada’s C-22 Act? (12th May 2026)

Preface: Can we say that Apple’s iPhone is the most secure smartphone in the world? Yes, the Apple iPhone is widely considered the most secure mainstream smartphone for general users, largely due to its “walled garden” approach.

Background: As of May 2026, Canada’s proposed Bill C-22, the Lawful Access Act (2026), is currently being debated in the House of Commons. Apple Inc. has formally opposed the legislation, warning that it could legally compel the company to weaken encryption on its devices and build “backdoors” for government surveillance.

Point of view: Why the “Standard Procedure” Fails for Escrow?

The code provided (see attached diagram) is designed for user-controlled security, which is functionally opposite to government-authorized access:

  • Hardware Isolation: Refer to code, the private key is generated inside the Secure Enclave and never leaves it. It is physically impossible to “escrow” (copy and store elsewhere) a private key generated this way.
  • The “Encrypted Blob” Problem: Step 4 of code (privateKey.dataRepresentation) creates an encrypted reference to the key, not the key itself. This blob can only be decrypted by the same Secure Enclave that created it. To “escrow” this for the Canadian government, Apple would need to fundamentally redesign the SEP to allow external decryption—creating the very “systemic vulnerability” they are currently fighting in the House of Commons.

Headline news: Please refer to the link for details – https://www.cbc.ca/news/politics/apple-argues-liberals-lawful-access-bill-could-put-users-personal-data-at-risk-9.7190092

The “ghost data” issue has been fixed in iOS 18.7.8 and iPadOS 18.7.8, as well as iOS 26.4.2 and iPadOS 26.4.2 on 24th Apr 2026. Did you receive same update alert again on 1st of May 2026? (2nd May 2026)

Preface: My iPhone 15 pushed the iOS 26.4.2 update again on May 2, 2026. I think even if you installed it around April 24—is likely because Apple released a revised build of that same update to address continued issues, or my device failed to properly register the previous installation due to the emergency nature of the patch.

Background: Why I received the update again on 1st May 2026. The NVD’s last modified date is shown as April 29, 2026. Therefore, this is one of the reasons why I need to perform the analysis again. Why update again? Similar to previous scenarios in 2023, Apple often re-issues critical patches if the first version did not fully resolve the issue, was causing compatibility problems, or if new information about the vulnerability arose.

My observation: The April 29 update reinforces why your switch to PRAGMA secure_delete = ON; is the right move. The official fix description—”improved data redaction”—aligns with the behavior of secure_delete, which physically overwrites data to ensure it cannot be recovered via forensic tools.

By using the PRAGMA, you are implementing at the application level what Apple has now implemented at the OS level: ensuring that when a record is “deleted,” its physical remnants are immediately destroyed.

The following URL is the analysis report I published on April 24, 2026 – http://www.antihackingonline.com/cell-phone-iphone-android-windows-mobile/the-ghost-data-issue-has-been-fixed-in-ios-18-7-8-and-ipados-18-7-8-as-well-as-ios-26-4-2-and-ipados-26-4-2-24th-apr-2026/

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2026-28950

Closer Look – SIM-Farm-as-a-Service (28th Apr 2026)

Preface: A SIM box (or SIM bank) is a hardware device that houses multiple SIM cards simultaneously to facilitate VoIP-to-GSM call termination. It reroutes international VoIP calls to appear as local calls by using local prepaid SIM cards, allowing operators to bypass high international tariffs and exploit low local call rates. It is primarily used for, but not limited to, fraudulent bypass.

Background: Why SIM-Farm-as-a-Service (SFaaS) is a Major Security Concern

Industrial-Scale Fraud: It enables the mass creation of fake accounts for social media, messaging apps, and banking by bypassing SMS-based one-time password (OTP) verification.

Evading Detection: By using local SIM cards, scammers can disguise international phishing attempts as local calls or texts, making them harder for users and automated systems to detect.

Critical Infrastructure Risk: Massive setups, like the one dismantled by the US Secret Service in late 2025, have the capacity to overload cellular networks, potentially jamming emergency services.

Legal Gray Areas: While the hardware itself is often legal for testing purposes, its application in SFaaS models has prompted governments, notably the UK government, to pursue bans on the “possession and supply” of SIM farm equipment.

Security focus: The recent spotlight on SIM-Farm-as-a-Service in April 2026 stems from a major investigation by the cybersecurity firm Infrawatch. Please refer to the link for referene.

https://www.techradar.com/pro/sim-farm-as-a-service-how-a-belarus-based-network-hijacked-uk-and-us-telcos-to-enable-global-fraud