Potential Risk of CVE

CVE-2025-21425: Memory corruption may occur due to improper access control in HAB process. (10th Apr 2025)

Leave a comment

Announcement on January 6, 2022: GM and Qualcomm showcase collaboration at CES that brings first dedicated Snapdragon system-on-chips to GM’s upcoming advanced driver assistance system for fast, robust data processing.

Preface: When the Snapdragon SA8540P SoC and SA9000P AI accelerator work together, they typically use a coordinated boot process. Each component has its own firmware, but they are designed to work seamlessly together within the system.

Background: The High Assurance Boot (HAB) process is indeed located within the embedded OS environment, specifically in the normal world. It is designed to ensure that only authenticated and trusted software images are executed on the device, providing a secure boot mechanism.

Here’s a brief overview of how HAB works:

  1. Digital Signatures: HAB uses digital signatures to authenticate the initial software image. This involves creating a unique identifier (certificate) for the image using asymmetric encryption. The private key is used to encrypt the image, while the public key is attached to it.
  2. Authentication: During boot, the boot ROM uses the public key to decrypt the certificate and verify the image. If the certificate matches the image, it is considered trusted and allowed to run. Otherwise, it is rejected.
  3. Chain of Trust: HAB establishes a chain of trust for subsequent software components, such as the kernel image, ensuring that the entire system remains secure.

Vulnerability details: Improper Access Control in Automotive Linux OS. Memory corruption may occur due top improper access control in HAB process.

Technology Area – Automotive Linux OS

Vulnerability Type – CWE-284 Improper Access Control

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-21425

Potential Risk of CVE

About: CVE-2024-0179 – SMM Callout vulnerability and CVE-2024-21925 – Improper input validation (9th April 2025)

Leave a comment

Preface: An SMM Callout is a type of vulnerability found in System Management Mode (SMM) code. This occurs when SMM code calls a function located outside of the System Management RAM (SMRAM) boundaries. The most common scenario is when an SMI (System Management Interrupt) handler tries to invoke a UEFI boot service or runtime service as part of its operation.

This vulnerability can be exploited by attackers with OS-level privileges to modify the physical pages where these services reside, potentially hijacking the privileged execution flow.

Background: STM stands for SMI Transfer Monitor. It is a security mechanism used within the System Management Mode (SMM) of a computer’s firmware. Below are some key points about STM:

Purpose: STM is designed to monitor and control the behavior of SMM code, providing a layer of security by mediating the actions of SMM drivers.

Functionality: It acts as a hypervisor within SMM, functioning alongside the main hypervisor or operating system. STM hosts the SMI (System Management Interrupt) handler in a virtual machine, thereby restricting its access to the platform.

Security: By constraining the SMI handler, STM helps prevent potential security breaches that could undermine the integrity of the system.

Vulnerability details: CVE-2024-21925 is the result of a lack of sufficient input buffer(s) validation within the AmdPspP2CmboxV2 UEFI module. CVE-2024-0179 is an SMM (System Management Mode) Callout vulnerability within the AmdCpmDisplayFeatureSMM UEFI module. Both can allow ring-0 attackers to escalate their privileges, potentially resulting in arbitrary code execution. AMD has begun releasing firmware mitigations to fix these vulnerabilities.  

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7027.html

Potential Risk of CVE

CVE-2025-0050: Arm Mali GPU Userspace Driver could allow an Out-of-Bounds access (8th April 2025)

Leave a comment

Preface:

A Use-After-Free (UAF) vulnerability occurs when a program continues to access memory after it has been freed. This can lead to unpredictable behavior, crashes, or even allow an attacker to execute arbitrary code. For example, if a program frees a block of memory but later tries to read or write to that memory, it can cause serious issues.

An Out-of-Bounds vulnerability happens when a program reads or writes data outside the boundaries of allocated memory. This can corrupt data, crash the program, or be exploited by attackers to execute arbitrary code. For instance, if an array has a size of 10 elements and the program tries to access the 11th element, it results in an out-of-bounds access.

Background:

GLES stands for OpenGL for Embedded Systems. It’s a subset of the OpenGL API designed for embedded devices like smartphones, tablets, and other portable devices. GLES is widely used in mobile games and applications because it provides a balance between performance and power consumption.

VK refers to Vulkan, a newer graphics API that provides high-efficiency, cross-platform access to modern GPUs. Vulkan offers more control over the GPU and lower overhead compared to OpenGL, making it suitable for high-performance applications like AAA games and real-time simulations.

Vulnerability details: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privileged user process to make valid GPU processing operations, including via WebGL or WebGPU, to access a limited amount outside of buffer bounds.This issue affects Bifrost GPU Userspace Driver: from r0p0 through r49p2, from r50p0 through r51p0; Valhall GPU Userspace Driver: from r19p0 through r49p2, from r50p0 through r53p0; Arm 5th Gen GPU Architecture Userspace Driver: from r41p0 through r49p2, from r50p0 through r53p0.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-0050

Another coincidental design flaw could have caused this vulnerability – Use after free in ANGLE in Google Chrome prior to 123.0.6312.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/cve-2024-2883

AI and ML, Potential Risk of CVE

System Management Mode (SMM) does not follow best practices. The impact extends beyond the desktop to HPC as well! (7th Apr 2025)

Leave a comment

Preface: In the realm of High Performance Computing (HPC), processors that use the x86 architecture typically support System Management Mode (SMM). This includes:

-Intel Xeon Processors: Widely used in HPC systems, Intel Xeon processors support SMM for managing system-wide tasks such as power management and hardware control.

-AMD EPYC Processors: AMD EPYC processors, including the latest generations, also support SMM. These processors are known for their high core counts and robust performance in HPC environments.

Both Intel and AMD continue to leverage SMM in their x86-based processors to ensure efficient and secure system management.

Background: SMM operates transparently to the operating system and applications, allowing it to perform these tasks without interfering with the normal operation of the system.

Under HPC architecture, a cluster of computers essentially operates as a single entity, called a node, that can accept tasks and computations as a collective.

The isolation is particularly beneficial in HPC environments where uninterrupted performance is crucial.

Technical  details: System Management Mode (SMM) uses System Management RAM (SMRAM) to store and manage tasks. SMM is triggered through a System Management Interrupt (SMI), a signal sent from the chipset to the CPU. During platform initialization, the firmware configures the chipset to cause a System Management Interrupt for various events that the firmware developer would like the firmware to be made aware of.

  1. SwSmiHandler: This is the function that will handle the SMI.
  2. RegisterSmiHandler: This function registers the SMI handler with the SMM SW Dispatch protocol.
  3. UefiMain: This is the entry point of the UEFI application, which calls the registration function.

The key steps are locating the SMM SW Dispatch protocol, setting up the context for the SMI handler, and registering the handler.

Reference: Design flaw in SMM published by AMD on Feb 2025. Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4008.html

Application Development, Potential Risk of CVE

CVE-2025-3305: code projects IKUN_Library – Improper access control and incorrect privilege  assignment (6th Apr 2025)

Leave a comment

Preface: Investment bank use Spring Boot for developing microservices and REST APIs. Hospitality utilizes Spring Boot for various backend services. Automotive company Uses Spring Boot for configuration management and service discovery.

Background: IKUN_Library 1.0 is a library management system developed using SpringBoot and MyBatis. It provides functionalities for managing books, readers, and borrowing records. The system includes features like:

  • Basic CRUD operations (Create, Read, Update, Delete)
  • Login validation with interceptors
  • RESTful API for interface design
  • Database management using MySQL

Spring Boot is a popular framework that can be used to build a wide variety of Java applications, including: Web applications: Spring Boot is commonly used to build web applications, including REST APIs, web services, and MVC-based applications.

Vulnerability details: A vulnerability has been found in 1902756969/code-projects IKUN_Library 1.0 and classified as problematic. This vulnerability affects the function addInterceptors of the file MvcConfig[.]java of the component Borrow Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2025-3305

AI and ML, Potential Risk of CVE

About AMD Ryzen™ AI Software: CVE-2025-0014, CVE-2024-36337,CVE-2024-36336 & CVE-2024-36328  (3th Apr 2025)

Leave a comment

Preface: The Ryzen 7000 desktop and laptop chips were introduced in 2023. Alongside the main x86 CPU, Ryzen 7000 has a new type of coprocessor, a Neural Processing Unit (NPU), based on the XDNA™ AI Engine architecture. This new NPU is called Ryzen AI.

Background:

1.Install NPU Drivers

2.Download the NPU driver installation package NPU Driver

3.Install the NPU drivers by following these steps:

4.Extract the downloaded “NPU_RAI1.2.zip” zip file.

5.Open a terminal in administrator mode and execute the [[.]\npu_sw_installer[.]exe] exe file.

6.Ensure that NPU MCDM driver (Version:32.0.201.204, Date:7/26/2024) is correctly installed by opening Device Manager -> Neural processors -> NPU Compute Accelerator Device.

Vulnerability details:

CVE-2025-0014: Incorrect default permissions on the AMD Ryzen™ AI installation folder could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

CVE-2024-36337: nteger overflow within AMD NPU Driver could allow a local attacker to write out of bounds, potentially leading to loss of confidentiality, integrity or availability.

CVE-2024-36328: nteger overflow within AMD NPU Driver could allow a local attacker to write out of bounds, potentially leading to loss of integrity or availability.

CVE-2024-36336: nteger overflow within the AMD NPU Driver could allow a local attacker to write out of bounds, potentially leading to a loss of confidentiality, integrity, or availability.

Official announcement: Please refer to the official announcement for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7037.html

Potential Risk of CVE, System

CVE-2025-21983: While kvfree_rcu() itself is not fundamentally flawed, Linux now been resolved by using a more appropriate workqueue. (2nd Apr 2025)

Leave a comment

Preface: The buddy allocator is a well-known memory management algorithm used in the Linux kernel. It is designed to efficiently allocate and deallocate memory in contiguous blocks.

Background: What is RCU usage in the Linux kernel?

Read-copy update (RCU) is a scalable high-performance synchronization mechanism implemented in the Linux kernel. RCU’s novel properties include support for con- current reading and writing, and highly optimized inter- CPU synchronization.

Currently kvfree_rcu() APIs use a system workqueue which is “system_unbound_wq” to driver RCU machinery to reclaim a memory.

In the Linux kernel, the kvfree_rcu() API uses a system workqueue, specifically the system_unbound_wq, to drive RCU (Read-Copy-Update) machinery for memory reclamation. This setup is used to handle deferred memory freeing in a non-blocking manner. However, there was a recent change where the workqueue was switched to WQ_MEM_RECLAIM to ensure that memory reclamation tasks are handled more efficiently and to avoid potential kernel warnings.

Not every Linux API uses the system_unbound_wq to request memory. The system_unbound_wq is a specific type of workqueue used for tasks that are not bound to any particular CPU, allowing them to run on any available CPU. This is useful for tasks that require high concurrency or have wide fluctuations in concurrency levels.

Vulnerability details: The issue with kvfree_rcu() is primarily related to how it uses the system workqueue (system_unbound_wq) for memory reclamation. This can lead to kernel warnings and potential system instability. The warnings indicate that the workqueue framework rules are being violated, which can affect the reliability of the memory reclamation process.

Remedy: So, while kvfree_rcu() itself is not fundamentally flawed, the way it was implemented led to issues that have now been resolved by using a more appropriate workqueue.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-21983

AI and ML, Potential Risk of CVE

CVE-2025-2953: Floating point exception in torch[.]mkldnn_max_pool2d (31st Mar 2025)

Leave a comment

Preface: The torch[.]nn[.]MaxPool2d function in PyTorch is used to apply a 2D max pooling operation over an input signal, which is typically an image or a batch of images.

  • Torch[.]mkldnn_max_pool2d is optimized for Intel’s MKL-DNN (Math Kernel Library for Deep Neural Networks). It leverages specific optimizations for Intel CPUs, which can lead to better performance on those processors. It might have limitations in terms of supported features and is more specialized for performance optimization.
  • Torch[.]nn[.]MaxPool2d is a more general implementation that works across different hardware platforms without specific optimizations for Intel CPUs.  It provides more flexibility and is easier to use within the PyTorch ecosystem, supporting various features like padding, dilation, and return indices.

Background: A floating point exception crash when using torch[.]mkldnn_max_pool2d can occur due to several reasons, often related to invalid or extreme values for parameters like kernel size, stride, or padding. Here are some common causes:

  1. Invalid Kernel Size: If the kernel size is set to an extremely large value or zero, it can lead to division by zero or other invalid operations, causing a floating point exception.
  2. Stride and Padding Issues: Similar to kernel size, setting stride or padding to extreme values can result in invalid calculations. For example, a stride of zero can cause the pooling operation to repeatedly access the same elements, leading to a crash.
  3. Input Tensor Dimensions: If the dimensions of the input tensor are not compatible with the specified kernel size, stride, or padding, it can lead to invalid memory access or calculations.

Vulnerability details: A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch[.]mkldnn_max_pool2d. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-2953

AI and ML, Potential Risk of CVE, Science, System

Similar to previously disclosed side-channel attacks. Manufacturer (AMD) response to researcher (30-03-2025)

Leave a comment

Preface: On 24th Oct, 2024, Researchers from Azure® Research, Microsoft® have provided to AMD a paper titled “Principled Microarchitectural Isolation on Cloud CPUs.” In their paper, the researchers describe a potential side-channel vulnerability on AMD CPUs. AMD believes that existing mitigation recommendations for prime and probe side-channel attacks remain applicable to the presented vulnerability.

Background: A two-bit saturating up-down counter is a type of counter used in computer architecture, particularly in branch prediction mechanisms. Here’s a brief overview:

  • Two-bit: The counter uses two bits, allowing it to represent four states (00, 01, 10, 11).
  • Up-down: The counter can increment (count up) or decrement (count down) based on the input signal.
  • Saturating: The counter does not wrap around when it reaches its maximum (11) or minimum (00) value. Instead, it stays at these values if further increments or decrements are attempted.
How It Works:
  1. States: The counter has four states: 00, 01, 10, and 11.
  2. Incrementing: If the counter is at 11 and receives an increment signal, it remains at 11. Similarly, if it is at 00 and receives a decrement signal, it stays at 00.
  3. Usage: These counters are often used in branch prediction to keep track of the history of branch outcomes and make predictions based on this history.

Ref: The pattern history table (PHT) branch architecture is an example of an architecture using two-bit saturating up-down counters. It contains a table of two-bit counters used to predict the direction for conditional branches.

About Branch History Leak:

Researchers from The Harbin Institute of Technology have shared with AMD a paper titled “Branch History LeakeR: Leveraging Branch History to Construct a New Side Channel-Theory and Practice” that demonstrates a side channel attack using the Global History Register (GHR).  The GHR is used to assist in conditional branch prediction. The researchers note that the GHR is shared between different security domains and may retain data after a security domain switch.  After a return to the user-space, the researchers were able to infer the direction of recently executed conditional branches.

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7026.html

Potential Risk of CVE, Under our observation

CVE-2025-30217: SQL injection on Frappe web application framework (27th Mar 2025)

Leave a comment

Preface: The Frappe Framework comes equipped with a wide range of built-in tools and features that accelerate the development process. Developers can leverage ready-to-use modules, templates, and components to create applications quickly.

Background: Frappe Framework – A full-stack web application framework written in Python and Javascript. The framework provides a robust foundation for building web applications, including a database abstraction layer, user authentication and a REST API. Frappe UI: A Vue-based UI library to provide a modern user interface.

Remark: Frappe UI: A Vue-based UI library to provide a modern user interface. The Frappe UI library provides a variety of components that can be used to build single-page applications on top of the Frappe Framework.

Vulnerability details: SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information.

Ref: The Frappe web application framework can be vulnerable to SQL injection attacks if it constructs SQL commands using externally-influenced input from an upstream component without properly neutralizing special elements.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-30217

antihackingonline.com