Category Archives: Potential Risk of CVE

Potential Risk of CVE

CVE-2025-68493: Apache Struts recently released a security advisory recommending that you check your code and upgrade. Otherwise, the new version of Struts will refuse to execute any existing code that contains security vulnerabilities. (14th Jan 2026)

Leave a comment

Preface: Many large, enterprise-level companies across various industries use or have used the open-source Apache Struts framework for building Java web applications. Companies using this framework must ensure they are on a currently supported version and apply security patches immediately.

Background: The Model-View-Controller (MVC) is a software architectural pattern used in Java and other programming languages to separate an application’s logic into three interconnected core components: the Model (data and business logic), the View (user interface), and the Controller (input handling and coordination).

This separation of concerns makes applications easier to manage, test, and scale by allowing developers to modify one part of the application without significantly affecting the others.

Apache Struts is a framework for building enterprise-level Java apps. It follows the Model-View-Controller (MVC) pattern. Struts helps maintain a clean code structure and scalability. The framework supports internationalization, making it ideal for multi-language apps. It integrates easily with other Java EE components like EJBs and JMS.

Vulnerability details: Missing XML Validation vulnerability in Apache Struts, Apache Struts.This CVE (based on its pattern and recent advisories) likely relates to remote code execution (RCE) or OGNL injection triggered by unsafe configurations or certain result types. If your configuration:

  • Allows user-controlled parameters to influence OGNL expressions.
  • Uses developer mode in production.
  • Has wildcard mappings or dynamic method calls.

Official announcement: Please refer to the link for details –

https://www.tenable.com/cve/CVE-2025-68493

This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.

*Users are recommended to upgrade to version 6.1.1, which fixes the issue.

IoT, Potential Risk of CVE

CVE-2025-47393: In Qualcomm-specified products, memory corruption occurs when the core driver accesses resources. 13th Jan-2026

Leave a comment

Qualcomm – Official announcement: 1st Jan 2026

Preface: The Qualcomm Snapdragon Ride platform is used to develop advanced driver assistance systems (ADAS) and autonomous driving (AD) for vehicles. It combines powerful hardware (SoCs containing AI, GPUs, and vision engines) and software (SDKs, cloud tools) to support a wide range of functions from basic safety features to advanced autonomous driving. It allows for the integration of digital cockpit, ADAS, and AD functions on the same hardware and supports over-the-air (OTA) updates for continuous improvement.

Qualcomm SA9000P is a high-performance automotive-grade System-on-Chip (SoC) from Qualcomm’s Snapdragon Ride platform, part of a 5nm compute platform for advanced driver-assistance systems (ADAS) and autonomous driving, designed to compete with NVIDIA and Intel Mobileye, often paired with the SA8540P, enabling powerful in-car computing for future connected and self-driving vehicles.

Background: In the context of Qualcomm’s software ecosystem and the Linux kernel, _count_phandle_with_args() is typically a low-level helper or a variant of the standard DeviceTree (DT) API used to determine the number of phandle entries in a specific property.

While the internal underscore-prefixed version (_count_phandle_with_args) is often used within kernel core code (like drivers/of/base.c), it is most commonly accessed by Qualcomm drivers via the public wrapper: of_count_phandle_with_args()

Therefore, developers are advised to use `of_count_phandle_with_args()` to verify array indices.

Usage in Qualcomm Drivers: Qualcomm’s MSM (Mobile Station Modem) kernel and downstream drivers use this to dynamically determine how many resources (like regulator handles or clock inputs) are defined for a hardware block before allocating memory for them.

Vulnerability details:

CVE ID – CVE-2025-47393

Title – Improper Validation of Array Index in Automotive Linux OS

Description – Memory corruption when accessing resources in kernel driver.

Technology Area – Automotive Linux OS

Vulnerability Type – CWE-129 Improper Validation of Array Index

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/securitybulletin/january-2026-bulletin.html

Potential Risk of CVE

CVE-2025-47345: About Qualcomm – Reusing a Nonce, Key Pair in Encryption in Automotive Platform (12th Jan 2026)

Leave a comment

Official published: 5th JAN 2026

Preface: When used in an automotive context, the Snapdragon 8 Gen 3 Mobile Platform—and its dedicated automotive counterparts—utilize a High-Level Operating System (HLOS).

While the “Mobile Platform” is a consumer-grade chip typically found in smartphones, some automakers have integrated it directly into vehicles. For purpose-built automotive solutions, Qualcomm offers the Snapdragon Cockpit Elite and Snapdragon Ride Elite, which share the same underlying architecture (Oryon CPU cores) as the mobile 8-series.

Background: The Snapdragon 8 Gen 3 Mobile Platform redefines mobile connectivity with advancements in speed, reliability, and future-proofing. At its core is the Snapdragon X75 5G Modem-RF System, which delivers high performance, including up to 10Gbps downlink and 3.5Gbps uplink speeds.

While the High-Level Operating System (HLOS) allocates a non-secure buffer to communicate with the Trusted Execution Environment (TEE), this buffer is only used for passing encrypted payloads, commands, or non-sensitive handshake parameters.

The Automotive smart cockpit is an advanced integrated digital environment that uses artificial intelligence, sensors and connectivity to unify the driver interface, infotainment and vehicle controls, transforming the cabin into a personalized interactive space for driving, entertainment and productivity.

HDCP is used in smart cockpits to protect high-resolution digital video and audio content transmitted across internal digital interfaces like HDMI, DisplayPort, and automotive-specific links such as APIX (Automotive Pixel Link ) or GMSL (Gigabit Multimedia Serial Link).

HDCP in Automotive Platforms (HDCP) is a link protection protocol, and its security depends on proper key management and session handling inside the TEE.

  • The session keys are stored securely in TEE and referenced by session ID.
  • There’s no indication that the same nonce or key pair is reused across sessions or encryption operations.
  • The non-secure buffer is freed after the session ends, which is good practice.

Vulnerability details: Cryptographic issue may occur while encrypting license data. The potential vulnerability (CVE-2025-47345) in Qualcomm Snapdragon platforms arises from reusing a nonce or key pair during encryption, violating cryptographic best practices (CWE-323). This issue is not an application-level flaw but a platform design decision.

As a matter of fact, modern threat models consider:

•         TEE compromise or privilege escalation as realistic attack vectors.

•         Static cryptographic material as a critical weakness, enabling replay attacks, impersonation, or content decryption.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-47345

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-47339 – Memory corruption while deinitializing a HDCP session -Use After Free in HLOS (9th Jan 2026)

Leave a comment

Official Published: 01/05/2026

Preface: In Qualcomm devices, the Host Operating System (HLOS), often Android/Linux, manages HDCP (High-bandwidth Digital Content Protection) sessions by interacting with dedicated hardware/firmware (DCP/ MediaLink/TrustZone) for key exchange and encryption, ensuring protected content (DRM) is output securely over HDMI/DisplayPort, with the HLOS kernel handling driver calls and security enforcement to prevent playback of protected media on non-compliant displays.

Background: For the HLOS (Normal World) to communicate with the Secure World, a small “shared memory” buffer must be initialized:

• Communication Buffers: The HLOS allocates non-secure memory to pass non-sensitive commands and status updates (e.g., “start session,” “query status”) to the TEE.

• Buffer Alignment: Systems often require specific alignment (typically 4KB page alignment) for these shared buffers to ensure they can be mapped into the TEE’s address space for processing.

When the app calls mediaDrm.closeSession(sessionId) – refer tp attached diagram, the Widevine DRM stack signals the TEE (TrustZone) to terminate the secure session.

The non-secure buffer allocated by HLOS for communication with the TEE is freed once the session ends.  Alignment requirements (e.g., 4KB) are relevant only during active mapping; after deinitialization, the memory is returned to the normal pool.

Related details:

  • The HDCP link is not persistent beyond the DRM session. Once the session is closed, the secure channel is dismantled.
  • If another app or playback starts later, the entire handshake process (including HDCP negotiation) will run again.

Vulnerability details: CVE-2025-47339 – Memory corruption while deinitializing a HDCP session – Use After Free in HLOS.

One of the possibilities – When the HLOS frees the non-secure buffer after session closure, any lingering references (e.g., in the TEE driver or asynchronous callbacks) can still access that memory. If the cleanup sequence doesn’t enforce strict ordering—such as ensuring all secure-world operations have completed before freeing the buffer—the freed memory could be reused by another process, leading to corruption.

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/securitybulletin/january-2026-bulletin.html

Potential Risk of CVE

CVE-2026-21675 Linux systems using the IccProfLib library are also affected by this vulnerability! (8 Jan 2026)

Leave a comment

Published: 2026-01-05

Preface: Website hosting itself does not “provide” ICC profiles; instead, it stores the image files you upload, which may contain embedded ICC profiles. However, the key is how web browsers interpret them. Most standard browsers default to or prioritize the sRGB color space for displaying web page content, so explicit ICC profiles are usually unnecessary and can sometimes even negatively impact file size/performance. Therefore, ideally, you should set it to “RGB” format.

However, ICC profiles are crucial for accurate color reproduction in facial recognition systems, especially for ensuring consistency between capture (camera/scanner) and analysis (software/display), because they provide the necessary color translation for accurate skin tone mapping, feature differentiation (like subtle shadows and highlights), and reliable matching, preventing errors caused by device-specific color variations that could affect algorithm performance.

Background: IccProfLib is an open-source, cross-platform C++ library from the SampleICC project that allows developers to read, write, manipulate, and apply ICC (International Color Consortium) profiles, which define device-specific color characteristics for consistent color management in graphics. The ICC profile must always be saved with your photos for the same reason. Without it, the device reproducing your photos (printer, computer screen, phone screen, etc) doesn’t have the exact instructions for how the colours should look.

In 2026, ICC (International Color Consortium) profiles are essential for maintaining color accuracy across devices on Windows. The IccProfLib C++ library is designed for cross-platform compatibility, so it can be used on Linux.

A Hint Manager, often part of a Color Management System (CMS), uses these profiles to adjust color data, interpreting the profile’s instructions to render colors accurately.

Remark: ICC profiles can be for greyscale, extended gamut 7 colour colours and other colour combinations, well as the more common RGB and CMYK profiles.

Vulnerability details: iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.

Official announcement: Please refer to the link for details

https://www.tenable.com/cve/CVE-2026-21675

AI and ML, Potential Risk of CVE

CVE-2026-21452: About MessagePack for Java (7th Jan 2026)

Leave a comment

Preface: Aerospike is a specific, high-performance NoSQL database, and benchmarks generally show it to be significantly faster than many other clustered NoSQL solutions like Cassandra and MongoDB.

The term “NoSQL” refers to a broad category of databases with varying performance characteristics, so a direct comparison is more nuanced than a simple yes/no answer.

Aerospike uses MessagePack as its default, internal serialization format for Lists and Maps (Collection Data Types or CDTs); it is not an optional configuration you need to enable in the core database itself.

Background: MessagePack is a compact binary serialization format designed to be more memory-efficient than text-based formats like JSON. For the Java implementation, its memory requirements depend on whether you are using the standard heap-based process or advanced off-heap optimizations.

The MessagePack serialization process primarily utilizes JVM Virtual Memory, which encompasses several different pools:

JVM Heap Memory, Off-Heap / Native Memory and OS Page Cache.

About EXT32?

•         In binary serialization formats (like Mashpack), EXT32 is a type identifier (byte 0xDD) indicating a subsequent 32-bit binary block or extension.

•         It’s used for efficiency, compacting data better than text formats (JSON, XML) by representing data directly as bytes.

Serialized EXT32 objects can require more memory in the JVM heap, primarily due to how standard Java MessagePack libraries manage large payloads during deserialization. While the MessagePack format itself is compact, the serialization and deserialization process in Java introduces specific memory overheads for the EXT32 type:

Large Payload Buffering (Heap Exhaustion) EXT32 is designed for large extension data, supporting payloads up to 4 GiB in size.

Vulnerability details: A known issue in msgpack-java (prior to v0.9.11) was that the library would trust the declared length in the EXT32 header and immediately attempt to allocate a matching byte array on the JVM heap.

Impact: If an EXT32 object declares a massive size, it can trigger rapid heap exhaustion or an OutOfMemoryError before the data is even fully read.

Official announcement: Please refer to the link for details.

https://www.tenable.com/cve/CVE-2026-21452

Potential Risk of CVE

CVE-2026-21440: Regarding the AdonisJS vulnerability, companies are advised to be vigilant! (January 6, 2026)

Leave a comment

Preface: Multiple fashion brands experienced significant cyber attacks and data breaches in 2025, with many incidents linked to third-party vendor vulnerabilities and attributed to hacking groups.

Louis Vuitton (LVMH Group): Confirmed a global cyber attack in July 2025 that compromised customer data in the UK, South Korea, Turkey, Italy, and Sweden. The data exposed included names, contact information, and purchase history, but no payment details.

Dior (LVMH Group): Disclosed a data breach in May 2025, which actually occurred in January, primarily affecting customers in Asia (South Korea and China). Compromised information included names, contact details, and shopping preferences.

Background: AdonisJS is a TypeScript-first web framework for building web apps and API servers. It comes with support for testing, modern tooling, an ecosystem of official packages, and a comprehensive documentation site. You can find the source code, guides, and community resources on the official AdonisJS website.

Node.js developers have varied opinions on AdonisJS, but many who prefer a structured, “batteries-included” framework are very fond of it. The framework provides a cohesive, full-stack development experience, which is a significant draw for certain types of developers.

AdonisJS provides a full suite of integrated features right out of the box, including an ORM (Lucid), authentication, validation, routing, and a CLI tool called “Ace”. This eliminates the “decision fatigue” of choosing and integrating numerous third-party packages.

Vulnerability details: AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-21440

IoT, Potential Risk of CVE, Public safety

CVE-2025-68620: Signal K Server, no authentication is required, and authentication can be completely bypassed. (5th Jan 2026)

Leave a comment

NVD Published Date: 01/01/2026

Preface: Signal K’s popularity in the IoT space, especially in marine tech, is growing due to its open-source nature, enabling advanced, connected, and personalized vessel data systems, integrating with trends like AI, edge computing (via Meshtastic), and edge devices for remote monitoring and control, mirroring the broader IoT boom expected to hit 70+ billion devices by 2025.

GPS tells a ship where it is using satellites (passive location), while AIS (Automatic Identification System) is a communication system that broadcasts and receives data like who it is, where it’s going, and its position to other vessels using VHF radio (active sharing), often using GPS data as its source for location.

Background: When a client connects to a server’s event stream endpoint using a WebSocket or an HTTP request with a specific query parameter (e.g., serverevents=all), the server is designed to send all cached server events, including ACCESS_REQUEST events. 

This mechanism typically operates as follows:

Connection and Parameter Usage 

  • WebSocket: A client establishes a WebSocket connection using a URL that includes the desired query parameter, such as wss://server-address/stream?serverevents=all.
  • HTTP (Server-Sent Events): The client makes a long-lived HTTP GET request (using the EventSource API in a browser) to a similar URL, like https://server-address/stream?serverevents=all.
  • Server Logic: The server’s event handling function iterates over its internal cache of past events and writes each one to the newly connected client as part of the initial data synchronization. 

Ref: The original NMEA 2000 and automotive CAN bus protocols do not have built-in authentication or encryption requirements. The design of these standards focused on reliable data exchange and real-time performance, not cybersecurity.

Vulnerability details: When a client connects to a server event stream endpoint using a WebSocket or an HTTP request was approved .In essence, if anonymous send HTTP request with a specific query parameter (e.g., serverevents=all), the signalK-server will send all cached server events, including ACCESS_REQUEST events.

If anonymous receive the events, try and error polls those IDs. Under this try action. They have change to steals the JWT tokens (administrators approved).

Ref: Cached ACCESS_REQUEST Events – Among these cached events are ACCESS_REQUEST objects. These contain sensitive details about pending security access requests, including:

  • Request IDs
  • Client identifiers and descriptions
  • Requested permission levels (e.g., admin, read-only)
  • Client IP addresses

Remedy: SignalK-server Version 2.19.0 fixes the underlying issues

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-68620

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

The Linux kernel CVE-2023-54324 was released on December 30, 2025. Do you think that is valuable to know? (2nd Jan 2026)

Leave a comment

Preface: Essentially, when security experts read vulnerability lists, the priority is time-dependent. For example, if you read a CVE reference document on January 2, 2025, but the document’s starting date is 2023, there’s a 99% chance you’ll ignore it. This makes sense, after all, it’s two years ago. According to vendor practice, when patches are released, they prioritize notifying customers. The timing of public releases depends on the vendor’s policy. But what made me interested in this CVE and want to delve deeper? In fact, when you investigate further, you discover more information than expected.

You’re welcome to continue exploring.

Background: Instead of the md driver’s classic RAID, Android utilizes the Device Mapper (DM) framework—specifically the same dm-ioctl.c interface you noted earlier—to implement modern, mobile-specific storage features.

The Device Mapper framework operates within standard kernel memory space and uses the general-purpose Linux memory allocators (kmalloc, the buddy allocator, or potentially the Contiguous Memory Allocator (CMA) for large buffers).

However, seems the major remedy  is implement a tool ( rw_semaphore devices_lock). When the Device Mapper drivers (dm-ioctl.c, dm-core.h, and dm-table.c) are used on an Android smartphone with a Qualcomm processor. The memory used by the storage drivers (drivers/md/) and the memory managed by the graphics drivers (Qualcomm’s KGSL) are distinct and reserved for different purposes:

Storage (Device Mapper) Memory

The Device Mapper framework operates within standard kernel memory space and uses the general-purpose Linux memory allocators (kmalloc, the buddy allocator, or potentially the Contiguous Memory Allocator (CMA) for large buffers).

  • When the storage drivers perform tasks like encryption (dm-crypt) or integrity checks (dm-verity), they are processing data from the main system RAM or directly from the physical storage chip using Direct Memory Access (DMA).
  • The system uses memory pools like ION or ashmem to manage shared buffers between the kernel and user-space applications for storage tasks. These are separate from GPU pools. 

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved.

dm: fix a race condition in retrieve_deps There’s a race condition in the multipath target when retrieve_deps races with multipath_message calling dm_get_device and dm_put_device. retrieve_deps walks the list of open devices without holding any lock but multipath may add or remove devices to the list while it is running. The end result may be memory corruption or use-after-free memory access.

See this description of a UAF with multipath_message(): https://listman.redhat.com/archives/dm-devel/2022-October/052373.html Fix this bug by introducing a new rw semaphore “devices_lock”. We grab devices_lock for read in retrieve_deps and we grab it for write in dm_get_device and dm_put_device.

Official announcement: Please refer to the link for details. https://www.tenable.com/cve/CVE-2023-54324

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-43529: Apple Multiple Products Use-After-Free WebKit Vulnerability (31-12-2025)

Leave a comment

NVD Published Date:12/17/2025

NVD Last Modified:18/12/2025

Preface: Apple Multiple Products Use-After-Free WebKit Vulnerability

Required Action – Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Date Added – 12/15/2025

Due Date – 01/05/2026

Ref: CISA’s BOD 22-01 isn’t specifically for cloud services but mandates U.S. federal agencies to rapidly fix high-risk, known exploited vulnerabilities (KEVs) listed in CISA’s catalog, including those in cloud environments, by providing strict timelines for remediation. It requires agencies to update vulnerability management procedures, apply to all software/hardware on federal systems (even third-party clouds), and focus on the CISA KEV catalog for critical patching, thereby significantly reducing federal cyber risk.

Background: Chrome used to use WebKit but now uses its own fork called Blink, except on Apple’s iOS/iPadOS where it’s forced to use WebKit due to Apple’s rules, while Blink powers most other desktop/mobile versions and is a descendant of WebKit. Think of it like this: Chrome started with WebKit, then created Blink from it for speed, but iOS versions remain WebKit-based.

The version of Google Chrome available on Apple’s iOS and iPadOS devices is indeed required to use the underlying WebKit framework provided by the operating system, which is the exact same engine that powers Apple’s own Safari browser.

Apple’s iOS and its Safari browser do not natively use Vulkan or DirectX; instead, they rely exclusively on Apple’s own proprietary graphics API, called Metal.

Google has to build its browser on top of Apple’s WebKit framework, which itself integrates seamlessly with Apple’s comprehensive memory management systems like ARC and the iOS kernel’s memory allocation routines. Metal plays a critical role in how the browser draws things incredibly fast on your screen, leveraging the GPU’s power, but it is not a general-purpose memory manager for the entire application’s operational needs.

Vulnerability details: A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-43529