Category Archives: Potential Risk of CVE

CVE-2026-56287: A Boolean-based blind vulnerability exists in Apache Fineract’s Client Search API (17th July 2026)

Preface: AI systems use Apache Fineract’s Client Search API through AI-to-banking bridges like Model Context Protocol (MCP) servers. [1, 2]

The OpenMF (Mifos Initiative) community actively maintains mcp-mifosx, an MCP server designed to connect Large Language Models (LLMs) and AI agents to the Apache Fineract core banking platform. When an AI assistant handles customer analysis, automated loan processing, or fraud detection, it relies heavily on the Client Search API to locate customer profiles, verify financial details, and navigate banking data.

Individual AI model inherently owns or hardcodes Apache Fineract’s Client Search API. Instead, any LLM or AI model (such as Anthropic’s Claude, OpenAI’s GPT-4o, or Google’s Gemini) can use this API by leveraging the newly standardized Model Context Protocol (MCP).

Background: In versions up to and including 1.14.0, Apache Fineract fails to properly validate the orderBy and sortOrder request parameters in its Client Search API.

Developers often use parameterized queries (Prepared Statements) for standard WHERE clauses. However, SQL syntax does not allow parameters for ORDER BY column names or directions. Because of this, developers sometimes make the mistake of using raw string concatenation for sorting clauses.

An authenticated user can inject arbitrary SQL queries. Because the backend database behavior (like the order or presence of returned items) changes depending on whether an injected True/False logic statement matches, attackers can extract full database schemas and records character-by-character. On MySQL or MariaDB, it can even trigger LOAD_FILE() to read local system files.

From technical point of view, MCP servers act as bridges connecting Large Language Models (LLMs) to enterprise data tools. If an AI agent interacts with the Fineract API hosted on your MCP server, an attacker could abuse the agent via indirect prompt injection (e.g., feeding the AI a malicious string via user profile fields) to silently trigger the blind SQLi payload.

Furthermore, AI agents often operate under a perimeter of trusted workflows. A successful boolean blind SQLi can leak sensitive credentials from your database or local server files. The attacker can then force the MCP server to abuse its broad integrations (like executing host commands or calling external APIs).

Vulnerability details: A boolean-based SQL Injection vulnerability exists in Apache Fineract’s Client Search API (GET /api/v1/clients) in versions up to and including 1.14.0. The orderBy and sortOrder request parameters are concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view clients to inject arbitrary SQL via a crafted orderBy value. This can be leveraged to perform blind boolean-based data extraction and, on MySQL/MariaDB, to disclose arbitrary files readable by the database process via the LOAD_FILE() function. Users are recommended to upgrade to a version containing the fix.

Affected versions:

  • Apache Fineract 1.14.0
  • Apache Fineract 1.15.0 unaffected

Official announcement: Please refer to the link for details –

https://www.tenable.com/cve/CVE-2026-56287

CVE-2026-24233: Deserialization of Untrusted Data havoc TensorRT-LLM (16th Jul 2026)

Preface: DeepSpeed MII, an open-source Python library developed by Microsoft, aims to make powerful model inference accessible, emphasizing high throughput, low latency, and cost efficiency. TensorRT LLM, an open-source framework from NVIDIA, is designed for optimizing and deploying large language models on NVIDIA GPUs.

Microsoft’s DeepSpeed suite (including DeepSpeed-MII) and NVIDIA’s TensorRT-LLM each use their own proprietary kernel optimizations, memory management systems, and compilation workflows.

Background: During the early development lifecycle of TensorRT-LLM (v0.x through early v1.x), the framework relied heavily on PyTorch routines to read incoming checkpoint binaries primarily due to an aggressive development timeline focused on rapid time-to-market and deep integration with the existing Hugging Face/PyTorch ecosystem.Rather than building custom, bare-metal file deserializers from scratch, NVIDIA engineers utilized PyTorch as a bridge to quickly establish functional features.

The early reliance on standard PyTorch routines (like torch.load()) to read checkpoint binaries is directly related to why an initialized RestrictedUnpickler did not mandate a strict Register Allowlist restriction (Safe Globals).The technical breakdown of why this occurred during the v0.x through early v1.x lifecycle includes:

The Open-World “Arbitrary Tensor” ProblemTo implement a strict RestrictedUnpickler with an active Register Allowlist, a developer must know every single class, module, and data type that will ever appear in the input file.

The Reality: In early TensorRT-LLM releases, scripts had to support checkpoints coming from Hugging Face, deep-speed saves, raw PyTorch, Megatron-LM, and dozens of community-forked models.

The Conflict: If NVIDIA engineers had mandated a strict Safe Globals allowlist, any checkpoint containing custom third-party extensions, custom metadata classes, or non-standard tensor storages (like specialized quantization state structures) would have instantly triggered a _pickle.UnpicklingError. Mandating it would have severely hindered user adoption.

Vulnerability details: CVE-2026-24233 NVIDIA TensorRT-LLM for Linux contains a vulnerability in the restricted unpickler used for model weight deserialization, where a local, unauthenticated attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.

Official announcement: Please refer to the link fore details – https://nvidia.custhelp.com/app/answers/detail/a_id/5840

CVE-2026-10666: The bug was introduced when the parser was added (Zephyr v1.9.0) and shipped in all releases through v4.4.0. (15th July 2026)

Preface: Zephyr (backed by the Linux Foundation) frequently trades places with FreeRTOS as the most widely adopted open-source RTOS in embedded industry surveys.

Background: While Zephyr introduced a completely revamped, native IP stack in version v1.7.0 (migrating away from its original heavily modified uIP foundation), it initially lacked standardized support for string-to-numeric IP address translation within its native tools and DNS resolver interfaces. Applications handling raw string literals had to rely on manual, custom string splitting or external parsing logic.

In traditional networking, parsing an IP address string requires guessing the IP version first or making separate, verbose calls to POSIX functions like inet_pton(). Zephyr’s native utility is specifically optimized for resource-constrained IoT environments where code space and RAM are heavily restricted.

The net_ipaddr_parse() utility was introduced to simplify and unify string-to-binary conversion for dual-stack (IPv4 and IPv6) address processing into a single, light footprint function. The parser was first introduced (v1.9.0), confirming it does not exist in older codebases.

Ref: This specific utility (net_ipaddr_parse()) became widely documented due to a security flaw identified in CVE-2026-10666. Security audits explicitly track this stack-based buffer overflow vulnerability back to the very commit where the parser was first introduced (v1.9.0), confirming it does not exist in older codebases.

Vulnerability details: CVE-2026-10666 was introduced when an address parser was added way back in Zephyr version 1.9.0, and it has quietly shipped in all subsequent releases up through version 4.4.0.

An attacker triggers this weakness during the network address resolution phase. If an application attempts to resolve a network-influenced address string—such as through a custom DNS configuration or the zsock_getaddrinfo API—the attacker can supply a specially crafted address containing an oversized port suffix. For example, feeding a literal IP followed by hundreds of bytes of an attacker-controlled payload.”

The root cause lies in how copy_len is derived. The function calculates the length using the logic str_len - end - 1. Because the total incoming string length is completely unbounded, an attacker can manipulate this math to force an arbitrarily large copy_len.

When the program executes memcpy to copy the port string into the fixed 17-byte ipaddr stack buffer, it triggers an out-of-bounds stack write. This immediately results in memory corruption, a total Denial of Service, or potentially control-flow hijacking.”

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2026-10666

“CVE-2026-24240, CVE-2026-24243 through 24245, 24247, and 24249: NVIDIA Megatron Bridge…”

Date of publication of this article: 14th July 2026

Preface: AI vendors typically use Hugging Face for initial fine-tuning, but once they need massive scale (tensor, pipeline, and sequence parallelism), they use the Bridge to convert HF checkpoints into Megatron format.

Ref: Hugging Face acts as the repository (like a “GitHub for AI”) where developers download these pre-trained models rather than building them from scratch.

Background: The NVIDIA Megatron Bridge belongs squarely to the Training and Customization pillars of the NVIDIA NeMo Framework.

Megatron Bridge includes Qwen-VL processing components to enable scalable distributed training, Supervised Fine-Tuning (SFT), and bidirectional checkpoint conversion for Qwen-VL foundation models on NVIDIA infrastructure.

Qwen models process video inputs natively by integrating 3D convolutions and multimodal rotary embeddings. The Megatron Bridge includes these exact Qwen-VL architecture definitions (e.g., Qwen35VLBridge) to correctly translate data between the Hugging Face framework and Megatron’s Core.

Where merge[.]py and shuffle[.]py Fit In?

Scripts handling actions like merge or shuffle typically live in the following areas of the ecosystem:

• src/megatron/bridge/data/: Submodules here handle on-the-fly streaming, iterating, and formatting of text/VLM data.

• scripts/ / tools/: Utility workflows built alongside Megatron Core use standalone python tools (like merge_datasets[.]py or preprocess_data[.]py) to consolidate large dataset shards and randomize training inputs.

Vulnerability details: Note on Parallel Vulnerabilities – The exact same insecure deserialization mechanic (pickle[.]loads() / np[.]load) shown above handles user inputs across adjacent workflows, triggering CVE-2026-24243 in the Qwen VL video processing components, and CVE-2026-24244, 24245, 24247, and 24249 within the wider data packaging and sample chunking scripts.

The identical descriptions for CVE-2026-24240, CVE-2026-24243, CVE-2026-24244, CVE-2026-24245, CVE-2026-24247, and CVE-2026-24249 occur because NVIDIA grouped multiple distinct insecure deserialization instances across separate files into one security release.

Details of above multiple vulnerabilities –

NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.

CWE-502 – The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Impact – Code execution, escalation of privileges, data tampering, information disclosure.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5841

CVE-2026-54783: SCADA staying alert by CoreWCF design weakness, no special privileges can capture a single signed SOAP envelope and replay arbitrary service operations by acting as the victim principal. (13th Jul 2026)

Preface: The SOAP Header is an optional sub-element in a SOAP message (XML file) used to convey additional non-functional information (such as security authentication, keys, transaction processing, or routing messages) that is not directly related to the business entity. If a SOAP message includes a Header, it must immediately follow the <soap:Envelope> root element and precede <soap:Body>.

Background: Why Do SCADA Systems Use “Signed SOAP Envelopes”?
In the evolution of industrial networks, there are two primary reasons why automation vendors adopted WS-Security signed envelopes:


Early OPC UA (OPC Unified Architecture) Implementations
The Context: OPC UA is the most dominant communication protocol between SCADA, PLCs, and automation systems. In the early specifications of OPC UA, Microsoft’s WCF was officially chosen as one of the core communication stacks (specifically WCF’s SOAP/HTTP and SOAP/TCP bindings).

The Architecture: To ensure data integrity and prevent malicious tampering, the OPC UA specification required end-to-end encryption and signing of messages. Consequently, many older SCADA servers developed between 2010 and 2018 embedded their security logic directly inside the XML headers (WS-Security Header) of the SOAP envelope. When migrating these legacy systems to .NET Core/6/8, using CoreWCF to handle these signed SOAP envelopes is the only way to avoid completely rewriting the client-side software.

Vulnerability details: CVE-2026-54783 is a critical XML Signature Wrapping (XSW) vulnerability affecting the CoreWCF and CoreWCF.Primitives libraries. It allows unauthenticated attackers to replay captured signed SOAP messages, potentially leading to unauthorized execution of arbitrary operations. This flaw is resolved in CoreWCF versions 1.8.1 and 1.9.1.

Reminder: If reader tries to run this exact code out of the box, they would need to manually pre-populate variables like req_xml, NAMESPACES, {extracted_header_str}, and {body_str} because the infographic omits the initial network-sniffing and XML-parsing code for brevity.

An unprivileged “Man-in-the-Middle” (MitM) attacker on the local OT network can capture a single legitimate control request, alter the underlying command body via script, and replay it successfully. An attacker could exploit this to impersonate SCADA host and issue unauthorized operational or shutdown commands directly to field equipment.

Remediation: Update to version 1.8.1 or 1.9.1 and later.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-54783

CVE-2026-21383: Reusing a Nonce, Key Pair in Encryption in HLOS (10th Jul 2026)

Preface: Today, the average person spends seven to eight hours a day staring at electronic screens, creating a huge demand for computer glasses. The widespread adoption of remote work, online learning, and smartphones has transformed computer glasses from a niche accessory into an everyday necessity. By 2026, the computer glasses market will have officially evolved from a simple health accessory into a highly complex, multi-billion dollar industry. This year, the market is valued at over $2.1 billion and is experiencing rapid growth, driven by factors such as workplace culture, people’s extreme reliance on screens, and rapid technological advancements.

Background: The HLOS (Advanced Operating System) embedded or deployed on the Snapdragon AR1+ first-generation platform is custom-developed, with extensive modifications to the standard open-source baseline to meet the extreme constraints of ultra-light smart glasses. Qualcomm provides OEMs with highly customized, stripped-down Board Support Packages (BSPs) based on either a minimal Android Open Source Project (AOSP) core or a custom Yocto-based Linux platform. All unnecessary smartphone background services (like telephony, desktop rendering pipelines, and heavy UI frameworks) are completely removed. In modern cryptography (like AES-GCM or AES-CBC), the IV must be unique for every single encryption operation under the same key. Reusing an IV breaks the security guarantees of these modes, potentially exposing your plaintext data.

A failure in how Qualcomm’s internal handler performs AES-GCM key wrapping. Specifically, the platform was mistakenly using a static Initialization Vector (IV / Nonce) every time it wrapped a key.

Ref: When vulnerability occurs, an attacker has two ciphertexts generated with the same keystream, they can XOR them together to cancel out the keystream and expose the original plaintexts.

Here is how modern modes like AES-GCM and AES-CTR eliminate this vulnerability.

The Initialization Vector (IV) or NonceThe primary defense is the introduction of an IV (Initialization Vector) or a Nonce (number used once).

Unique Input: Before generating the keystream, the cipher mixes the secret key with the unique IV/Nonce.

Changing Keystream: Because the Nonce changes for every single message, the mathematical output (the keystream) changes completely, even if the secret key stays the same.

Vulnerability details:

CVE ID CVE-2026-21383

Title : Reusing a Nonce, Key Pair in Encryption in HLOS

Description : Cryptographic Issue when using a static initialization vector for AES-GCM key wrapping, which requires a unique value for each call to ensure security.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2026-21383

CVE-2026-38973: About mrubyc design weakness through release 3.4.1. (9th Jul 2026)

Preface: mruby/c remains active in certain industry scenarios that require Ruby’s rapid development capabilities but are limited by hardware constraints that standard mruby (which requires more memory) cannot support. It is widely used in:

• Internet of Things (IoT) edge devices.

• Factory automation and industrial sensors (especially favored by Japanese engineering companies).

• Custom firmware requiring lightweight, high-efficiency script engines embedded in C code.

Background: Which type of IoT devices use mruby/c?

mruby/c is used in resource-constrained, battery-powered IoT devices that require concurrent tasks but lack the memory to run a full operating system. Because its virtual machine runs on as little as 20 KB of RAM, it is deployed in hardware environments where other high-level languages like MicroPython or standard mruby (which requires >100 KB) are too heavy.

When a method lookup fails across the normal inheritance chain, the virtual machine invokes a specialized, static “builtin fallback routine” inside mrbc_find_method(). Because the bytecode execution pointer (pc) or target ID array indexes are processed directly within the loop logic without an explicit boundary assertion check, malicious or unexpectedly formatted bytecode can trigger an out-of-bounds read.

Why does a microcontroller use a Virtual Machine? Unlike a system virtual machine (like VMware or VirtualBox) that emulates an entire computer system or operating system, a programming language VM (like the Java Virtual Machine or the mruby/c VM) acts as a software execution engine.

•               The Process: Your Ruby code is first compiled into bytecode.

•               The VM’s Job: The mruby/c VM reads this bytecode step-by-step and translates it into physical instructions the ESP32 chip can understand.

Vulnerability details: mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().

Remedy: If you are compiling custom firmware using embedded mruby/c, you can fix this risk by following the repository changes:

1.             Pull the official fixed code directly from the mruby/c GitHub repository.

2.             Recompile your source directory to ensure that both the mrbc_find_method() out-of-bounds read and any related macro handlers are updated on your target MCU.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-38973

CVE-2026-25268: Stack-based Buffer Overflow in WLAN Host  (8th Jul 2026)

Preface: The vulnerability’s entry point: The memory corruption in the Qualcomm driver is not caused by parsing Radiotap, but rather by the driver parsing invalid HT40 channel layout elements (HT Capabilities / HT Operation IEs) carried in 802.11 management frames (such as Beacon, Probe Response, or Channel Switch Announcement) sent from the remote base station (AP).

Background: The qcacld (Qualcomm Atheros Closed Source / Prima WLAN Driver) is exactly the WLAN host driver for Qualcomm-based wireless chips. It runs on the main operating system and manages the Wi-Fi hardware, translating between the OS network stack and the firmware on the wireless module.

The qcacld (specifically qcacld-2.0 or qcacld-3.0) codebase handles everything related to wireless connections, including supplicant communication, 802.11 association, and radio management. It works alongside the chip-specific firmware (e.g., WCNSS) and hardware configuration files (like qca_cld/WCNSS_qcom_cfg[.]ini) to ensure proper Wi-Fi and Bluetooth coexistence.

Vulnerability details: CVE-2026-25268 is a memory corruption vulnerability (stack-based buffer overflow) affecting WLAN host drivers. It is triggered during dynamic channel switching operations when the system improperly processes invalid HT40 (High Throughput 40MHz) channel layouts.

Core Technical Details

  • CWE Identifier: CWE-119 (Memory Corruption / Buffer Overflow)
  • CVSS Severity: High (8.8)
  • Vector: Local network
  • Impact: Allows for the corruption of memory, which can lead to application crashes, system instability, or potential arbitrary code execution.

Affected Systems

This flaw specifically impacts Wi-Fi/WLAN host driver components and has been documented in major hardware vendors such as Qualcomm.

Mitigation

Because this flaw is usually tied to vendor-specific firmware or driver code, the primary path to remediation involves patching your wireless infrastructure or devices.

  1. Apply Manufacturer Updates: Monitor your vendor’s security bulletins for firmware upgrades that address this issue.
  2. Consult Vendor Advisories: Review the relevant official updates, such as the Qualcomm Security Bulletin, to identify the specific patched driver versions for your affected hardware.
  3. Network Isolation: Until patches can be deployed, consider isolating potentially vulnerable wireless devices from critical network segments to limit your attack surface.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2026-bulletin.html

Security Bulletin: NVIDIA ConnectX and BlueField – June 2026 (CVE-2025-23351 and CVE-2025-23350) 7th Jul 2026

Preface: While tech giants like Google rely on custom TPUs to cut costs and scale internal models like Gemini, NVIDIA remains globally dominant. This is because AWS and other cloud providers do offer NVIDIA H100s Amazon EC2 P5 Instances, and NVIDIA possesses an unmatched software ecosystem and universal hardware compatibility.

The NVIDIA ConnectX and BlueField command interface allows host software and firmware to communicate directly using the hardware’s internal mlx5 messaging layout. When Single Root I/O Virtualization (SR-IOV) is enabled, a local user or Virtual Machine (VM) interacting with a Virtual Function (VF) gains direct hardware access through this command interface to accelerate network capabilities.

Background: NVIDIA Secuirty Bulletin stated that a design weakness where local users with VF access could cause out-of-bounds write. However, there is ICM Page Limiting feature that the command interface enforces rules that prevent unprivileged guest users from overloading the server. Administrators can use the page_limit feature to cap the firmware interface memory (Internal Context Memory / ICM) that a rogue VF can pin down, avoiding host resource exhaustion? Do you think this function operate well in secure by design?

Answer: No, the ICM Page Limiting function does not operate well on its own under a strict “Secure by Design” philosophy when a severe memory corruption flaw like CVE-2025-23351 or CVE-2025-23350 is present.

While ICM Page Limiting is an excellent operational control for managing fair resource allocation, it falls short as a primary security defense because of how the two features interact at the architecture level. For details, please refer to attached infographic.

Vulnerability details:

CVE-2025-23351 and CVE-2025-23351 – NVIDIA ConnectX and BlueField contain a vulnerability in the command interface where a local user with virtual function (VF) access may cause a write out of bounds by crafted input. A successful exploit of this vulnerability may lead to arbitrary code execution on the device.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5699

CVE-2026-24270: About NVIDIA AIStore framework (6th July 2026)

Official published: 30th June 2026

Preface: Tailoring AI training for petascale environments (hundreds of GPUs/TPUs) requires distributed parallelism, robust fault tolerance, and specialized hardware-aware data pipelines. It is essential to balance computational scale across memory, storage bandwidth, and communication.

Background: NVIDIA AIStore is a lightweight, distributed object storage system built from scratch and specifically tailored for petascale AI training and inference workloads. It acts as a high-performance, horizontally scalable storage middleware designed to keep powerful GPUs fed with data and eliminate I/O bottlenecks.

What NVIDIA AIStore Actually Manages? Instead of routing GPU math, AIStore acts as an ultra-fast, horizontally scalable storage middleware to feed those GPUs. Its job is to eliminate I/O bottlenecks so your multi-dimensional parallel cluster doesn’t sit idle waiting for data.

Immediately Invoked Function Expression (IIFE) is a JavaScript design pattern where a function is defined and executed immediately. It creates an isolated local scope, preventing variables from polluting the global environment. IIFE is a purely software-level coding structure used in web development and Node.js.

When Would JavaScript See It?The only exception is if you are running a local Node.jsapplication directly on your machine (not inside a browser) and you explicitly write code to read the $HOME/.config/ais/cli/auth[.]token file.

Ref: A Bearer MALFORMED_OR_EMPTY_STRING pattern represents an API authorization header request where the actual security token is missing, null, broken, or literally replaced by an error message string (e.g., Authorization: Bearer undefined).

While this is fundamentally a client-side programming error, it is highly dangerous to backend systems because of how poorly written security middleware handles it.

Vulnerability details: CVE-2026-24270 NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5849