Category Archives: Cell Phone (iPhone, Android, windows mobile)

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2025-21450: Improper Authentication in GPS GNSS (7th July 2025)

Leave a comment

Preface:

GNSS – This is a global term encompassing all satellite constellations that provide positioning, navigation, and timing (PNT) services. Besides GPS, other GNSS include GLONASS (Russia), Galileo (EU), and BeiDou (China).

GPS – The Global Positioning System, developed by the US Department of Defense, is the most widely recognized and used GNSS. It was the first global satellite navigation system and has become a household term.

Background: A GPS/GNSS receiver can be considered the client in a similar way to an IoT device or smartphone, particularly when used for location-based services. GPS/GNSS receivers require cryptographic downloads, specifically key material and potentially software updates, to enable authentication and anti-spoofing features. These features ensure the integrity and authenticity of the received signals, protecting against malicious attacks like spoofing where fake signals mimic legitimate satellites.

Ref: The GPS module in the Snapdragon 8 Gen 3 is integrated within the Snapdragon X75 5G Modem-RF System. The X75 is a comprehensive modem-RF solution that includes not only 5G capabilities but also other wireless technologies like Wi-Fi, Bluetooth, and location services like GPS. This integration allows for efficient and high-performance location tracking and navigation on devices powered by the Snapdragon 8 Gen 3.

Vulnerability details: Cryptographic issue occurs due to use of insecure connection method while downloading.

Vulnerability Type: CWE-287 Improper Authentication

Official announcement: Please see the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2025-bulletin.html

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), Potential Risk of CVE

CVE-2025-44952: About Open5GS (19-6-2025)

Leave a comment

Preface: Open5GS is a popular open-source 5G core network (5GC) implementation, particularly among researchers and those building private 5G networks. It’s recognized as one of the leading open-source 5GC projects. Open5GS is known for its adherence to 3GPP standards and its mature development, making it suitable for various applications like testbeds, research, and even some deployments

Background: The PFCP library refers to a software component, often implemented in programming languages like Go, designed to support the Packet Forwarding Control Protocol (PFCP). PFCP is a signaling protocol used in mobile core networks, particularly in the context of Control and User Plane Separation (CUPS) within 4G and 5G architectures. It enables communication between control plane elements (like the Session Management Function or SMF) and user plane elements (like the User Plane Function or UPF). PFCP is used by network equipment (like 5G base stations and core network elements) to manage data forwarding.

Vulnerability details: A missing length check in `ogs_pfcp_subnet_add` function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the `session.dnn` field with a value with length greater than 101.

Comment: The developer added the strcpy block as a new logic to handle the DNN field. If the patch doesn’t include bounds checking, it introduces a new vulnerability.

Suggestion: the strcpy should be replaced with a safe alternative.

Official announcement: Please refer to the supplier announcement –

https://nvd.nist.gov/vuln/detail/CVE-2025-44952

AI and ML, Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2025-2884 – Design weakness in the Trusted Platform Module (TPM) 2.0 reference implementation code. (11th June 2025)

Leave a comment

Preface: The main difference between AMD’s Trusted Platform Module (TPM) and those from other manufacturers , how it’s implemented: AMD offers a firmware TPM (fTPM), while many other manufacturers, including Intel, also offer a dedicated hardware TPM (dTPM).

Background: TPM refers to a Trusted Platform Module, which is a specialized chip that securely stores cryptographic keys used for encryption and decryption, enhancing overall system security. AMD’s approach often involves Firmware TPM (fTPM), also known as Intel’s Platform Trust Technology (PTT), which implements TPM functionality within the system’s firmware rather than using a dedicated physical chip.

The AMD Ryzen Embedded 7000 series processors indeed integrate advanced security features, including:

  • AMD Secure Processor (ASP): A dedicated security co-processor embedded directly into the CPU die.
  • Firmware TPM (fTPM): Implemented in firmware and runs on the ASP.
  • Microsoft Pluton: A hardware-based security processor integrated into the silicon, designed to work alongside ASP and fTPM for enhanced protection.

Ref: The most common TPM is the TPM function supported by the Trusted Execution Environment (TEE) of Intel Core i series or AMD Ryzen series CPU in the motherboard UEFI firmware. fTPM can be used in all processors after Intel Broadwell (5th generation) and AMD Ryzen series. This is the most common method because you can easily use the TPM function without purchasing a separate module.

Vulnerability details: An out-of-bounds read vulnerability exists in TPM2.0’s Module Library allowing a read past the end of a TPM2.0 routine as described above. An attacker who can successfully exploit this vulnerability can read sensitive data stored in the TPM and/or impact the availability of the TPM.

Official announcement: Please see the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4011.html

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2025-0037: About AMD Versal™ Adaptive SoC – Initial publication 2025-06-03

Leave a comment

(9th June 2025)

Preface: AMD’s Versal™ Adaptive SoCs are used in a wide range of industries, particularly those requiring high-performance, low-latency processing and flexibility, such as data centers, wireless networking, automotive, aerospace, and defense. Versal chips are also utilized in areas like 5G wireless, advanced driver assist, and even 3D printing.

AMD’s Versal™ Adaptive SoC technology is used in several different chip series, including the Versal AI Edge, Versal AI Core, Versal Prime, Versal Premium, and Versal RF series. These SoCs are designed for a variety of applications, including AI inference, data-intensive workloads, and high-speed communication.

Background: Platform Management Controller (PMC), Platform Loader and Manager (PLM), and boot and configuration are key components in modern embedded systems, especially in Xilinx Versal ACAPs and similar platforms.

Key Steps Illustrated:

1.BootROM loads PL –  Initial boot step from non-volatile memory.

2.PLM starts running – Executes on the MicroBlaze inside the PMC.

3.PLM authenticates and decrypts partitions – Uses hardware accelerators in the PMC for cryptographic operations.

4.PLM configures programmable logic – Loads and configures the Adaptive Engines and other programmable resources.

Remark: To understand the process, please refer to the attached diagram.

Vulnerability details: In Versal™ Adaptive SoC devices, the Platform Loader and Manager (PLM) implements runtime (post-boot) software services that can allow a remote processor to command the PLM to execute cryptographic operations – including AES, SHA3, RSA, ECDSA – using the hardened cryptographic accelerators, eFUSE and BBRAM reads and writes, reloading PDIs, and reading back the FPGA on behalf of the remote processor.

A potential vulnerability exists with commanding these runtime services, in that the memory passed with the command to execute the services is not checked by the PLM to verify that the requesting processor has access to the memory space.

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8010.html

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2025-1246: A non-privileged user process can perform valid GPU processing operations (8th June 2025)

Leave a comment

Preface: The Valhall family of Mali GPUs uses the same top-level architecture as the previous generation Bifrost GPUs. The Valhall family uses a unified shader core architecture. Arm’s 5th generation GPU architecture, on the other hand, is a type of GPU architecture that is designed for visual computing, especially on mobile devices, and includes features like deferred vertex shading and hardware-based ray tracing. It is a part of the Arm Mali or Immortalis GPU family.

Background: Arm’s Mali GPUs are closely related to the Valhall architecture. Valhall is Arm’s fourth-generation architecture for Mali GPUs, and the Mali-G77 is the first high-end GPU to adopt this architecture. Valhall improves on previous generations of architectures such as Bifrost with a simplified, compiler-friendly instruction set and better compatibility with newer APIs such as Vulkan. The architecture also allows for configuration of the number of shader cores and the size of the L2 cache.

WebGL (Web Graphics Library) and WebGPU (Web Graphics Processing Unit) are both JavaScript APIs that allow web developers to use a computer’s GPU to render 3D graphics and perform computations within a web browser. WebGPU is a newer and more powerful API than WebGL, designed to provide better performance and support for modern GPUs.

Vulnerability details: A non-privileged user process can perform valid GPU processing operations, including via WebGL or WebGPU, to access outside of buffer bounds. This issue has been assigned the identifier CVE-2025-1246.

Affected ProductsBifrost GPU Userspace Driver

CVE-2025-1246: All versions from r18p0-r49p3, r50p0-r51p0 Valhall GPU Userspace Driver

CVE-2025-1246: All versions from r28p0-r49p3, r50p0-r54p0 Arm 5th Gen GPU Architecture Userspace Driver

CVE-2025-1246: All versions from r41p0-r49p3, r50p0-r54p0

Recommendations – These issues have been fixed in the following versions:

Bifrost GPU Userspace Driver – CVE-2025-1246: r49p4, r54p1

Valhall GPU Userspace Driver – CVE-2025-1246: r49p4, r54p1

Arm 5th Gen GPU Architecture Userspace Driver – CVE-2025-1246: r49p4, r54p1

Official announcement: Please see the link for – detailshttps://developer.arm.com/documentation/110466/1-0

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-49835 – Out-of-bounds Write in SPS Applications (8th May 2025)

Leave a comment

Preface: Semi-Persistent Scheduling (SPS) is used in LTE and 5G networks to reduce control channel overhead for applications requiring persistent radio resource allocations, such as VoIP and VoLTE . The memory usage for SPS on Android devices can vary based on several factors, including the specific implementation and the network conditions.

A method and apparatus for determining validity of a semi-persistent scheduling (SPS) resource across multiple cells in a wireless communication system is provided. A user equipment (UE) receives a SPS resource configuration including time information related to validity of the SPS resource configuration from a network, and determines whether the SPS resource configuration is valid or not according to the time information.

Background: Semi-Persistent Scheduling (SPS) Workflow

  1. The RF module in the Snapdragon chip receives the SPS resource configuration from the network. This configuration includes time information related to the validity of the SPS resource.
  2. The Physical Layer (PHY) processes the received configuration to determine its validity based on the time information provided.
  3. If the configuration is valid, the Medium Access Control (MAC) layer handles the allocation of radio resources for multiple consecutive Transmission Time Intervals (TTIs). This reduces the need for frequent scheduling decisions and signaling overhead.
  4. The MAC layer coordinates with the Radio Link Control (RLC) layer to manage data transmission using the allocated resources. The RLC layer ensures data integrity and proper sequencing.
  5. The Digital Signal Processor (DSP) and Application Processor within the Snapdragon chip are responsible for executing the scheduling algorithms and managing the data flow.The configuration and scheduling information are stored in the shared memory accessible by both the DSP and the application processor.

Vulnerability details: Out-of-bounds Write in SPS Applications. Memory corruption while reading secure file. This is a type of memory access error that occurs when a program writes data from a memory address outside of the bounds of a buffer. This can result in the program writing data that does not belong to it, which can cause crashes, incorrect behavior, or even security vulnerabilities.

Official announcement: For details, please refer to the link –https://nvd.nist.gov/vuln/detail/cve-2024-49835

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

Mali GPU Driver Security Bulletin: CVE-2025-0427

Leave a comment

(7th May 2025)

Last updated: 2 May 2025 (official)

Preface: An ioctl interface is a single system call by which userspace may communicate with device drivers. Requests on a device driver are vectored with respect to this ioctl system call, typically by a handle to the device and a request number.

Background: The Arm Mali GPU, when installed on an Android phone, works alongside the CPU rather than replacing it. The Mali GPU is specifically designed for handling graphics processing tasks, such as rendering images, animations, and videos, which helps to offload these tasks from the CPU. This allows the CPU to focus on other computational tasks, improving overall device performance and efficiency.

The Mali GPU itself does not have an embedded CPU; it is a separate component that works in conjunction with the device’s main CPU. This collaboration between the GPU and CPU ensures that graphics-intensive applications, like games and videos, run smoothly while maintaining efficient power usage.

Vulnerability details: Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU processing operations to gain access to already freed memory.

Impact: This issue affects Bifrost GPU Kernel Driver: from r8p0 through r49p3, from r50p0 through r51p0; Valhall GPU Kernel Driver: from r19p0 through r49p3, from r50p0 through r53p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p3, from r50p0 through r53p0.

Official announcement: Please see the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-0427

https://developer.arm.com/documentation/110465/latest

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-49739 – GPU DDK misuse ptrace system call (6th May 2025)

Leave a comment

Official release posted: 2nd May 2025

Since the manufacturer did not provide a detailed description, is the situation discovered by the manufacturer similar to this article details?

Preface:

Nvidia is a major player in the GPU market, known for its high-performance graphics cards used in gaming, professional visualization, data centers, and AI applications.

Imagination Technologies specializes in providing GPU processor solutions for graphics and AI vision applications. They focus on mobile devices, automotive, and embedded systems.

Background: All PowerVR GPUs are based on unique Tile Based Deferred Rendering (TBDR) architecture; the only true deferred rendering GPU architecture in the world.  True deferred rendering GPU architecture, specifically Tile-Based Deferred Rendering (TBDR), is a unique approach used by PowerVR GPUs.

Tile-Based Deferred Rendering (TBDR)

– Tile-Based Rendering: The screen is divided into small tiles, and each tile is processed individually. This allows the GPU to store data like color and depth buffers in internal memory, reducing the need for frequent access to system memory. This results in lower energy consumption and higher performance.

– Deferred Rendering: This technique defers texturing and shading operations until the visibility of each pixel in the tile is determined. Only the pixels that will be visible to the user consume processing resources, which enhances efficiency.

Vulnerability details: Software installed and run as a non-privileged user may conduct ptrace system calls to issue writes to GPU origin read only memory.

Resolution: The DDK Kernel module has been updated to address this  improper use of ptrace system call to prevent write requests to read-only memory.

Official announcement: Please see the link for details –

https://www.imaginationtech.com/gpu-driver-vulnerabilities

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-45552 – Buffer Over-read in Data Network Stack & Connectivity  (30-04-2025)

Leave a comment

NVD Published Date: 04/07/2025

NVD Last Modified: 04/07/2025

Preface: Real-time Transport Protocol (RTP) is a network protocol used for delivering audio and video data over the internet in real time. It is designed to provide reliable and efficient transmission of multimedia content, even in the presence of network congestion or packet loss.

Background: The Snapdragon 865 5G Mobile Platform is designed to handle various networking tasks, including RTCP (Real-Time Transport Control Protocol) packets. The rtcp_sender[.]cc driver, which is responsible for sending RTCP packets, is typically part of the software stack that runs on the device’s operating system rather than being embedded directly within the Snapdragon chipset itself

The Snapdragon 865 provides the necessary hardware support and interfaces for the operating system to manage network communications efficiently . The actual implementation of RTCP handling, including the rtcp_sender[.]cc driver, would be part of the software layer that interacts with the hardware.

Vulnerability details: Information disclosure may occur during a video call if a device resets due to a non-conforming RTCP packet that doesn’t adhere to RFC standards.

Official announcement: Please see the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-45552

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-31201: about RPAC – Reconfigurable Processing Architecture Core – iPhone XS and later (28-4-2025)

Leave a comment

Official Released April 16, 2025

Preface: The Reconfigurable Processing Architecture Core (RPAC) in Apple iOS is a component found in newer Apple Silicon chips. Its major function is to enhance the security and performance of the system by providing a flexible and efficient processing architecture. RPAC is designed to support various computational tasks and can be dynamically reconfigured to optimize performance for different applications.

Background: Arbitrary read and write refer to the ability of an attacker to read from or write to any memory location within a system.

Buffer overflows are a common cause of arbitrary read and write vulnerabilities, but in this CVE, the issue is related to how the RPAC component handles memory and security checks.

RPAC uses PAC to protect against memory corruption attacks. PAC works by cryptographically signing pointers, such as return addresses, to ensure they haven’t been tampered with. This helps prevent unauthorized modifications and ensures the integrity of memory operations.

RPAC performs various security checks to validate memory access and operations. These checks help detect and guard against unexpected changes to pointers and other critical data structures

Vulnerability details: An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Official announcement: Please see the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-31201