Category Archives: Cell Phone (iPhone, Android, windows mobile)

CVE-2024-49835 – Out-of-bounds Write in SPS Applications (8th May 2025)

Preface: Semi-Persistent Scheduling (SPS) is used in LTE and 5G networks to reduce control channel overhead for applications requiring persistent radio resource allocations, such as VoIP and VoLTE . The memory usage for SPS on Android devices can vary based on several factors, including the specific implementation and the network conditions.

A method and apparatus for determining validity of a semi-persistent scheduling (SPS) resource across multiple cells in a wireless communication system is provided. A user equipment (UE) receives a SPS resource configuration including time information related to validity of the SPS resource configuration from a network, and determines whether the SPS resource configuration is valid or not according to the time information.

Background: Semi-Persistent Scheduling (SPS) Workflow

  1. The RF module in the Snapdragon chip receives the SPS resource configuration from the network. This configuration includes time information related to the validity of the SPS resource.
  2. The Physical Layer (PHY) processes the received configuration to determine its validity based on the time information provided.
  3. If the configuration is valid, the Medium Access Control (MAC) layer handles the allocation of radio resources for multiple consecutive Transmission Time Intervals (TTIs). This reduces the need for frequent scheduling decisions and signaling overhead.
  4. The MAC layer coordinates with the Radio Link Control (RLC) layer to manage data transmission using the allocated resources. The RLC layer ensures data integrity and proper sequencing.
  5. The Digital Signal Processor (DSP) and Application Processor within the Snapdragon chip are responsible for executing the scheduling algorithms and managing the data flow.The configuration and scheduling information are stored in the shared memory accessible by both the DSP and the application processor.

Vulnerability details: Out-of-bounds Write in SPS Applications. Memory corruption while reading secure file. This is a type of memory access error that occurs when a program writes data from a memory address outside of the bounds of a buffer. This can result in the program writing data that does not belong to it, which can cause crashes, incorrect behavior, or even security vulnerabilities.

Official announcement: For details, please refer to the link –https://nvd.nist.gov/vuln/detail/cve-2024-49835

Mali GPU Driver Security Bulletin: CVE-2025-0427

(7th May 2025)

Last updated: 2 May 2025 (official)

Preface: An ioctl interface is a single system call by which userspace may communicate with device drivers. Requests on a device driver are vectored with respect to this ioctl system call, typically by a handle to the device and a request number.

Background: The Arm Mali GPU, when installed on an Android phone, works alongside the CPU rather than replacing it. The Mali GPU is specifically designed for handling graphics processing tasks, such as rendering images, animations, and videos, which helps to offload these tasks from the CPU. This allows the CPU to focus on other computational tasks, improving overall device performance and efficiency.

The Mali GPU itself does not have an embedded CPU; it is a separate component that works in conjunction with the device’s main CPU. This collaboration between the GPU and CPU ensures that graphics-intensive applications, like games and videos, run smoothly while maintaining efficient power usage.

Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU processing operations to gain access to already freed memory.

Impact: This issue affects Bifrost GPU Kernel Driver: from r8p0 through r49p3, from r50p0 through r51p0; Valhall GPU Kernel Driver: from r19p0 through r49p3, from r50p0 through r53p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p3, from r50p0 through r53p0.

Official announcement: Please see the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-0427

https://developer.arm.com/documentation/110465/latest

CVE-2024-49739 – GPU DDK misuse ptrace system call (6th May 2025)

Official release posted: 2nd May 2025

Since the manufacturer did not provide a detailed description, is the situation discovered by the manufacturer similar to this article details?

Preface:

Nvidia is a major player in the GPU market, known for its high-performance graphics cards used in gaming, professional visualization, data centers, and AI applications.

Imagination Technologies specializes in providing GPU processor solutions for graphics and AI vision applications. They focus on mobile devices, automotive, and embedded systems.

Background: All PowerVR GPUs are based on unique Tile Based Deferred Rendering (TBDR) architecture; the only true deferred rendering GPU architecture in the world.  True deferred rendering GPU architecture, specifically Tile-Based Deferred Rendering (TBDR), is a unique approach used by PowerVR GPUs.

Tile-Based Deferred Rendering (TBDR)

– Tile-Based Rendering: The screen is divided into small tiles, and each tile is processed individually. This allows the GPU to store data like color and depth buffers in internal memory, reducing the need for frequent access to system memory. This results in lower energy consumption and higher performance.

– Deferred Rendering: This technique defers texturing and shading operations until the visibility of each pixel in the tile is determined. Only the pixels that will be visible to the user consume processing resources, which enhances efficiency.

Vulnerability details: Software installed and run as a non-privileged user may conduct ptrace system calls to issue writes to GPU origin read only memory.

Resolution: The DDK Kernel module has been updated to address this  improper use of ptrace system call to prevent write requests to read-only memory.

Official announcement: Please see the link for details –

https://www.imaginationtech.com/gpu-driver-vulnerabilities

CVE-2024-45552 – Buffer Over-read in Data Network Stack & Connectivity  (30-04-2025)

NVD Published Date: 04/07/2025

NVD Last Modified: 04/07/2025

Preface: Real-time Transport Protocol (RTP) is a network protocol used for delivering audio and video data over the internet in real time. It is designed to provide reliable and efficient transmission of multimedia content, even in the presence of network congestion or packet loss.

Background: The Snapdragon 865 5G Mobile Platform is designed to handle various networking tasks, including RTCP (Real-Time Transport Control Protocol) packets. The rtcp_sender[.]cc driver, which is responsible for sending RTCP packets, is typically part of the software stack that runs on the device’s operating system rather than being embedded directly within the Snapdragon chipset itself

The Snapdragon 865 provides the necessary hardware support and interfaces for the operating system to manage network communications efficiently . The actual implementation of RTCP handling, including the rtcp_sender[.]cc driver, would be part of the software layer that interacts with the hardware.

Vulnerability details: Information disclosure may occur during a video call if a device resets due to a non-conforming RTCP packet that doesn’t adhere to RFC standards.

Official announcement: Please see the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-45552

CVE-2025-31201: about RPAC – Reconfigurable Processing Architecture Core – iPhone XS and later (28-4-2025)

Official Released April 16, 2025

Preface: The Reconfigurable Processing Architecture Core (RPAC) in Apple iOS is a component found in newer Apple Silicon chips. Its major function is to enhance the security and performance of the system by providing a flexible and efficient processing architecture. RPAC is designed to support various computational tasks and can be dynamically reconfigured to optimize performance for different applications.

Background: Arbitrary read and write refer to the ability of an attacker to read from or write to any memory location within a system.

Buffer overflows are a common cause of arbitrary read and write vulnerabilities, but in this CVE, the issue is related to how the RPAC component handles memory and security checks.

RPAC uses PAC to protect against memory corruption attacks. PAC works by cryptographically signing pointers, such as return addresses, to ensure they haven’t been tampered with. This helps prevent unauthorized modifications and ensures the integrity of memory operations.

RPAC performs various security checks to validate memory access and operations. These checks help detect and guard against unexpected changes to pointers and other critical data structures

Vulnerability details: An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Official announcement: Please see the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-31201

CVE-2024-53025: Transient DOS can occur while processing UCI command (24-03-2025)

NVD Published Date: 03/03/2025
NVD Last Modified: 03/06/2025

Preface: The OpenWrt Project is a Linux operating system targeting embedded devices. Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. For developers, OpenWrt is the framework to build an application without having to build a complete firmware around it.

Background: Qualcomm’s FastConnect™ 7900 is embedded in the Snapdragon 8 Gen 3. This connectivity system is AI-optimized and integrates Wi-Fi 7, Bluetooth, and Ultra Wideband (UWB) technologies, providing unparalleled performance across mobile, compute, and XR experiences. The Snapdragon 8 Gen 3 firmware integrates cutting-edge technologies such as generative AI, enhanced camera capabilities, console-defying mobile gaming, and studio-quality lossless audio.

Remark: The Snapdragon 8 Gen 3 platform includes embedded firmware.

Vulnerability details:  The Qualcomm UCI command can encounter wraparound in scenarios where an integer overflow occurs during calculations. This happens when the logic assumes that the resulting value will always be larger than the original value, leading to a transient denial of service (DOS) condition.

Ref: Due to the combination of the command injection in the openwrt/imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision. The issue consists of two main components:

  1. Command Injection in Imagebuilder: During image builds, user-supplied package names are incorporated into make commands without proper sanitization. This allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key.
  2. Truncated SHA-256 Hash Collisions: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to “poison” the artifact cache and deliver compromised images to unsuspecting users.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-53025

CVE-2025-24201: iOS, iPadOS, and macOS – WebKit Out-of-Bounds Write Vulnerability Security updates (20-03-2025)

NVD Published Date: 03/11/2025
NVD Last Modified: 03/14/2025

Preface: WebKit is a web browser engine used by Safari and other applications across various platforms like macOS, iOS, Linux, and Windows. It processes web content, including JavaScript, HTML, and CSS.

Background: The Web Content sandbox is a security feature within WebKit that isolates web content from the rest of the system. This means that any potentially harmful web content, such as malicious scripts, is contained within a restricted environment, preventing it from affecting other parts of the system. This sandboxing helps protect users from vulnerabilities and exploits that could arise from visiting compromised websites.

The Web Content sandbox in WebKit uses several shared libraries (.so files) to function properly. These libraries are essential for various operations within the sandboxed environment. Some common libraries that might be involved include:

  1. libwebkit2gtk-4.0.so: This is the main WebKit library for GTK-based applications.
  2. libjavascriptcoregtk-4.0.so: This library handles JavaScript execution within WebKit.
  3. libWPEWebKit.so: Used in WebKit for embedded systems.
  4. libWPEBackend-fdo-1.0.so: Provides backend functionality for WebKit on embedded system.

These libraries help ensure that web content is processed securely and efficiently within the sandbox.

Vulnerability details: An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

Official announcement: Please refer to the following link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-24201

Arm CPU Security Update:  Training in Transient Execution Attacks (17th Mar 2025)

Initial release: August 8, 2023

Last updated: 14 Mar 2025

Preface: AMD’s Zen3 and Zen4 architectures are not directly related to ARM design, as they are based on AMD’s own x86-64 architecture. ARM is concerned about Training in Transient Execution (TTE) attacks because these attacks exploit vulnerabilities in speculative execution, which can affect ARM processors just as they do other architectures like x86.

Background: There are 2 phenomena that enable an unprivileged attacker to leak arbitrary information on AMD Zen3 and Zen4 CPU products.

  • Phantom speculation – Trigger misprediction without any branch at the source of the misprediction.
  • Training in Transient Execution – Potential manipulate future mispredictions through a previous misprediction that attacker trigger.

Here are some key reasons why ARM is worried about TTE attacks:

Microarchitectural Manipulation: TTE attacks involve manipulating microarchitectural buffers, such as the branch target buffer (BTB) and return stack buffer (RSB), during speculative execution. This manipulation can lead to mispredictions and create transient windows where sensitive data can be accessed.

Cross-Architecture Concerns: While ARM processors have different microarchitectural designs compared to x86 processors, the fundamental principles of speculative execution and transient execution attacks apply across architectures. This means ARM needs to address these vulnerabilities to ensure the security of their processors.

Security Implications: Successful TTE attacks can bypass existing security mitigations and leak sensitive information, posing a significant threat to the security of ARM-based systems.

Official announcement: For details, please refer to the link – https://developer.arm.com/documentation/110363/1-0/?lang=en

CVE-2025-22412: Fix more memory-unsafe logging (10th Mar 2025)

Preface: In smartphones, the System on Chip (SoC), such as those made by Qualcomm, integrates various components including the CPU, GPU, and memory. The embedded OS and applications run on this SoC, utilizing its built-in memory (RAM) for processing tasks.
The flash storage (often referred to as flashdisk) in smartphones is primarily used for storing persistent data like images, documents, apps, and the operating system itself. This storage is separate from the RAM used by the CPU and GPU for active processing
 
Background: Logging in Android does consume memory and can affect the OS memory resources. When you create logs, they are stored in memory, which can lead to increased memory usage. This can impact the performance of your application and the overall system, especially if there are a lot of log entries being generated.
 
Vulnerability details: In various locations around the stack, log statements use structures that may, in exceptional cases, have been freed by preceding calls.  This can lead to use after free and potentially to security vulnerabilities.
 
Ref: p_buf is a pointer to a buffer structure. If a buffer overflow in p_buf can potentially lead to a use-after-free vulnerability.
 
Official announcement: Please refer to the link for details – https://android.googlesource.com/platform/packages/modules/Bluetooth/+/806774b1cf641e0c0e7df8024e327febf23d7d7c

CVE-2025-22413: (ANDROID (KVM (arm64)) Don’t run a protected VCPU if it isn’t runnable! (5 March 2025)

Preface: The protected Kernel-based Virtual Machine (pKVM) is an advanced virtualization technology built on top of the Linux Kernel-based Virtual Machine (KVM). It is designed to enhance security and isolation for virtual machines (VMs) running on Android devices.

Key points about pKVM:

Enhanced Security: pKVM restricts access to the payloads running in guest VMs marked as ‘protected’ at the time of creation. This ensures that even if the host Android system is compromised, the guest VMs remain secure.

Isolation: It provides strong confidentiality and integrity guarantees by isolating memory and devices into individual protected VMs (pVMs).

Compatibility: pKVM is compatible with existing operating systems and workloads that rely on KVM-based virtual machines.

Background: In the context of pKVM, a vCPU (virtual Central Processing Unit) represents a virtualized CPU core assigned to a virtual machine (VM). Each vCPU in a VM’s operating system corresponds to one physical CPU core.

In pKVM, vCPUs are used to manage and allocate processing power to protected virtual machines (pVMs), ensuring that each VM has the necessary resources to operate securely and efficiently.

Vulnerability details: Don’t run a protected VCPU in pKVM if it isn’t in a runnable PSCI state. For protected VMs, the PSCI state is the reference state for whether they are runnable or not.

Official announcement: Please refer to the link for details – https://android.googlesource.com/kernel/common/+/1a3366f0d3d9b94a8c025d9863edc3b427435c4c