NVD Published Date: 03/11/2025
NVD Last Modified: 03/14/2025

Preface: WebKit is a web browser engine used by Safari and other applications across various platforms like macOS, iOS, Linux, and Windows. It processes web content, including JavaScript, HTML, and CSS.

Background: The Web Content sandbox is a security feature within WebKit that isolates web content from the rest of the system. This means that any potentially harmful web content, such as malicious scripts, is contained within a restricted environment, preventing it from affecting other parts of the system. This sandboxing helps protect users from vulnerabilities and exploits that could arise from visiting compromised websites.

The Web Content sandbox in WebKit uses several shared libraries (.so files) to function properly. These libraries are essential for various operations within the sandboxed environment. Some common libraries that might be involved include:

1. libwebkit2gtk-4.0.so: This is the main WebKit library for GTK-based applications.
2. libjavascriptcoregtk-4.0.so: This library handles JavaScript execution within WebKit.
3. libWPEWebKit.so: Used in WebKit for embedded systems.
4. libWPEBackend-fdo-1.0.so: Provides backend functionality for WebKit on embedded system.

These libraries help ensure that web content is processed securely and efficiently within the sandbox.

Vulnerability details: An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

Official announcement: Please refer to the following link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-24201

Initial release: August 8, 2023

Last updated: 14 Mar 2025

Preface: AMD’s Zen3 and Zen4 architectures are not directly related to ARM design, as they are based on AMD’s own x86-64 architecture. ARM is concerned about Training in Transient Execution (TTE) attacks because these attacks exploit vulnerabilities in speculative execution, which can affect ARM processors just as they do other architectures like x86.

Background: There are 2 phenomena that enable an unprivileged attacker to leak arbitrary information on AMD Zen3 and Zen4 CPU products.

• Phantom speculation – Trigger misprediction without any branch at the source of the misprediction.
• Training in Transient Execution – Potential manipulate future mispredictions through a previous misprediction that attacker trigger.

Here are some key reasons why ARM is worried about TTE attacks:

Microarchitectural Manipulation: TTE attacks involve manipulating microarchitectural buffers, such as the branch target buffer (BTB) and return stack buffer (RSB), during speculative execution. This manipulation can lead to mispredictions and create transient windows where sensitive data can be accessed.

Cross-Architecture Concerns: While ARM processors have different microarchitectural designs compared to x86 processors, the fundamental principles of speculative execution and transient execution attacks apply across architectures. This means ARM needs to address these vulnerabilities to ensure the security of their processors.

Security Implications: Successful TTE attacks can bypass existing security mitigations and leak sensitive information, posing a significant threat to the security of ARM-based systems.

Official announcement: For details, please refer to the link – https://developer.arm.com/documentation/110363/1-0/?lang=en

Preface: In smartphones, the System on Chip (SoC), such as those made by Qualcomm, integrates various components including the CPU, GPU, and memory. The embedded OS and applications run on this SoC, utilizing its built-in memory (RAM) for processing tasks.
The flash storage (often referred to as flashdisk) in smartphones is primarily used for storing persistent data like images, documents, apps, and the operating system itself. This storage is separate from the RAM used by the CPU and GPU for active processing
 
Background: Logging in Android does consume memory and can affect the OS memory resources. When you create logs, they are stored in memory, which can lead to increased memory usage. This can impact the performance of your application and the overall system, especially if there are a lot of log entries being generated.
 
Vulnerability details: In various locations around the stack, log statements use structures that may, in exceptional cases, have been freed by preceding calls.  This can lead to use after free and potentially to security vulnerabilities.
 
Ref: p_buf is a pointer to a buffer structure. If a buffer overflow in p_buf can potentially lead to a use-after-free vulnerability.
 
Official announcement: Please refer to the link for details – https://android.googlesource.com/platform/packages/modules/Bluetooth/+/806774b1cf641e0c0e7df8024e327febf23d7d7c

Preface: The protected Kernel-based Virtual Machine (pKVM) is an advanced virtualization technology built on top of the Linux Kernel-based Virtual Machine (KVM). It is designed to enhance security and isolation for virtual machines (VMs) running on Android devices.

Key points about pKVM:

Enhanced Security: pKVM restricts access to the payloads running in guest VMs marked as ‘protected’ at the time of creation. This ensures that even if the host Android system is compromised, the guest VMs remain secure.

Isolation: It provides strong confidentiality and integrity guarantees by isolating memory and devices into individual protected VMs (pVMs).

Compatibility: pKVM is compatible with existing operating systems and workloads that rely on KVM-based virtual machines.

Background: In the context of pKVM, a vCPU (virtual Central Processing Unit) represents a virtualized CPU core assigned to a virtual machine (VM). Each vCPU in a VM’s operating system corresponds to one physical CPU core.

In pKVM, vCPUs are used to manage and allocate processing power to protected virtual machines (pVMs), ensuring that each VM has the necessary resources to operate securely and efficiently.

Vulnerability details: Don’t run a protected VCPU in pKVM if it isn’t in a runnable PSCI state. For protected VMs, the PSCI state is the reference state for whether they are runnable or not.

Official announcement: Please refer to the link for details – https://android.googlesource.com/kernel/common/+/1a3366f0d3d9b94a8c025d9863edc3b427435c4c

Preface: The Gospel of Matthew 24:37

As it was in the days of Noah, so it will be at the coming of the Son of Man. For in the days before the flood, people were eating and drinking,..etc

Background: In Android, the ServiceManager is a key component in the Binder IPC (Inter-Process Communication) mechanism. It manages system services and provides a way for clients to obtain references to these services.

Here’s a brief overview of how the ServiceManager operates:

1. Initialization: The ServiceManager is started by the init process during the system boot. It is defined in the init.rc script, which specifies the service and its executable path.
2. Service Registration: When a service wants to register with the ServiceManager, it calls the addService method. This method takes the service name and a reference to the service’s Binder interface.
3. Service Lookup: Clients can query the ServiceManager to get a reference to a registered service using the getService method. This method returns the Binder interface of the requested service.
4. Security and Permissions: Starting from Android 8.1, SELinux policies have become stricter. Services must be defined in the plat_service_contexts file to be allowed to register with the ServiceManager. This ensures that only authorized services can be registered and accessed..
5. Communication: Once a service is registered, clients can communicate with it through Binder IPC. The ServiceManager acts as a mediator, ensuring that the communication is secure and efficient.

Vulnerability details: local privilege escalation

Bug fixes: The setRequestingSid(true) method in the ServiceManager is used to enable the inclusion of the Security Identifier (SID) in service requests. This is part of the security framework in Android, ensuring that the identity of the requesting service is included and verified during inter-process communication (IPC).

Official announcement: Please refer to the vendor announcement for details – https://android.googlesource.com/platform/frameworks/native/+/c32d4defe0f4e5cad86437d6672de7a76caf1a79

Original release date: February 3, 2025

Preface: The Hardware Abstraction Layer (HAL) is not outdated with Android 15. In fact, HAL continues to play a crucial role in the Android architecture. Android 15 includes improvements and updates to various HAL components, ensuring they remain relevant and effective for modern hardware and software requirements.

Background: Android 15 continues to use hal_fwlog[.]cc because it remains a crucial component for logging firmware-related events and activities within the Hardware Abstraction Layer (HAL). The HAL provides a standardized interface for hardware vendors, allowing the Android operating system to communicate with hardware components without needing to know the specifics of the hardware. This ensures compatibility and stability across various devices and hardware configurations.

Maintaining hal_fwlog[.]cc helps in diagnosing and troubleshooting hardware issues, ensuring that the system can log and monitor firmware activities effectively. This is essential for maintaining the overall reliability and performance of the Android operating system.

Vulnerability details: Fix malloc buffer size in hal_fwlog[.]cc

The hal_fwlog[.]cc file in Android is part of the Hardware Abstraction Layer (HAL). This file is typically used for logging firmware-related events and activities. The HAL provides a standard interface for hardware vendors to implement, allowing the Android operating system to communicate with hardware components without needing to know the specifics of the hardware.

Official announcement: Please refer to the link for details – https://source.android.com/docs/security/bulletin/2025-02-01

Preface: SCMI is a message driven interface between an SCMI agent (client) and an SCMI host (server)

Background: SCP Firmware provides a software reference implementation for the System Control Processor (SCP) and Manageability Control Processor (MCP) components found in several Arm Compute Sub-Systems. Power Control System Architecture (PCSA) defines the concept of a System Control Processor (SCP), a specialized processor that abstracts power and system management tasks from the application processor.

A small area of SRAM is reserved for SCMI communication between application processors and SCP. Entity that sends commands to the platform using SCMI. For example, the OSPM running on an AP or an on-chip management controller.

Vulnerability details:

CVE-2024-9413 – The transport_message_handler function in SCP-Firmware release versions 2.11.0-2.15.0 does not properly handle errors, potentially allowing an Application Processor (AP) to cause a buffer overflow in System Control Processor (SCP) firmware.

CVE-2024-11863 and CVE-2024-11864 – Specifically crafted SCMI messages sent to an SCP running SCP-Firmware release versions up to and including 2.15.0 may lead to a Usage Fault and crash the SCP

Official announcement: For detail, please refer to link –

https://developer.arm.com/Arm%20Security%20Center/SCP-Firmware%20Vulnerability%20CVE-2024-11863-11864

Preface: PowerVR is a division of Imagination Technologies (formerly VideoLogic) that develops hardware and software for 2D and 3D rendering, and for video encoding, decoding, associated image processing and DirectX, OpenGL ES, OpenVG, and OpenCL acceleration. 

Background: Imagination maintains DDKs for Android, Linux and Windows operating systems, ensuring they have access to the latest APIs and popular extensions.

To build the Android kernel and other kernel artifacts (modules, boot images, etc.), they provide a framework called “Kleaf”. • One part of Kleaf is the Driver Development Kit (DDK) which is used to build external modules.

Vulnerability details: Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process.

PVRSRVAcquireProcessHandleBase can cause psProcessHandleBase reuse when PIDs are reused, said imagination Technologies.

Official announcement: Please refer to the link for details –

https://source.android.com/docs/security/bulletin/2025-01-01

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: Chipsets affected by this vulnerability: MT2735, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6880T, MT6880U, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791T, MT8795T, MT8797, MT8798

An example: The MediaTek MT8791T integrates Bluetooth, FM, WLAN, and GPS modules and is a highly integrated baseband platform that includes a modem and application processing subsystem to support LTE/5G/NR and C2K tablet applications. The chip integrates two Arm®Cortex-A78 cores running at up to 2.6 GHz, six Arm®Cortex-A55 cores running at up to 2.0 GHz, and a powerful multi-standard video codec. In addition, an extensive set of interfaces and connectivity peripherals for connecting cameras, touchscreen displays, and UFS/MMC/SD cards are included.

Vulnerability details: In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link below for details –

https://corp.mediatek.com/product-security-bulletin/January-2025