AI and ML, Potential Risk of CVE

About AMD Ryzen™ AI Software: CVE-2025-0014, CVE-2024-36337,CVE-2024-36336 & CVE-2024-36328  (3th Apr 2025)

Leave a comment

Preface: The Ryzen 7000 desktop and laptop chips were introduced in 2023. Alongside the main x86 CPU, Ryzen 7000 has a new type of coprocessor, a Neural Processing Unit (NPU), based on the XDNA™ AI Engine architecture. This new NPU is called Ryzen AI.

Background:

1.Install NPU Drivers

2.Download the NPU driver installation package NPU Driver

3.Install the NPU drivers by following these steps:

4.Extract the downloaded “NPU_RAI1.2.zip” zip file.

5.Open a terminal in administrator mode and execute the [[.]\npu_sw_installer[.]exe] exe file.

6.Ensure that NPU MCDM driver (Version:32.0.201.204, Date:7/26/2024) is correctly installed by opening Device Manager -> Neural processors -> NPU Compute Accelerator Device.

Vulnerability details:

CVE-2025-0014: Incorrect default permissions on the AMD Ryzen™ AI installation folder could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

CVE-2024-36337: nteger overflow within AMD NPU Driver could allow a local attacker to write out of bounds, potentially leading to loss of confidentiality, integrity or availability.

CVE-2024-36328: nteger overflow within AMD NPU Driver could allow a local attacker to write out of bounds, potentially leading to loss of integrity or availability.

CVE-2024-36336: nteger overflow within the AMD NPU Driver could allow a local attacker to write out of bounds, potentially leading to a loss of confidentiality, integrity, or availability.

Official announcement: Please refer to the official announcement for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7037.html

Potential Risk of CVE, System

CVE-2025-21983: While kvfree_rcu() itself is not fundamentally flawed, Linux now been resolved by using a more appropriate workqueue. (2nd Apr 2025)

Leave a comment

Preface: The buddy allocator is a well-known memory management algorithm used in the Linux kernel. It is designed to efficiently allocate and deallocate memory in contiguous blocks.

Background: What is RCU usage in the Linux kernel?

Read-copy update (RCU) is a scalable high-performance synchronization mechanism implemented in the Linux kernel. RCU’s novel properties include support for con- current reading and writing, and highly optimized inter- CPU synchronization.

Currently kvfree_rcu() APIs use a system workqueue which is “system_unbound_wq” to driver RCU machinery to reclaim a memory.

In the Linux kernel, the kvfree_rcu() API uses a system workqueue, specifically the system_unbound_wq, to drive RCU (Read-Copy-Update) machinery for memory reclamation. This setup is used to handle deferred memory freeing in a non-blocking manner. However, there was a recent change where the workqueue was switched to WQ_MEM_RECLAIM to ensure that memory reclamation tasks are handled more efficiently and to avoid potential kernel warnings.

Not every Linux API uses the system_unbound_wq to request memory. The system_unbound_wq is a specific type of workqueue used for tasks that are not bound to any particular CPU, allowing them to run on any available CPU. This is useful for tasks that require high concurrency or have wide fluctuations in concurrency levels.

Vulnerability details: The issue with kvfree_rcu() is primarily related to how it uses the system workqueue (system_unbound_wq) for memory reclamation. This can lead to kernel warnings and potential system instability. The warnings indicate that the workqueue framework rules are being violated, which can affect the reliability of the memory reclamation process.

Remedy: So, while kvfree_rcu() itself is not fundamentally flawed, the way it was implemented led to issues that have now been resolved by using a more appropriate workqueue.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-21983

AI and ML, Potential Risk of CVE

CVE-2025-2953: Floating point exception in torch[.]mkldnn_max_pool2d (31st Mar 2025)

Leave a comment

Preface: The torch[.]nn[.]MaxPool2d function in PyTorch is used to apply a 2D max pooling operation over an input signal, which is typically an image or a batch of images.

  • Torch[.]mkldnn_max_pool2d is optimized for Intel’s MKL-DNN (Math Kernel Library for Deep Neural Networks). It leverages specific optimizations for Intel CPUs, which can lead to better performance on those processors. It might have limitations in terms of supported features and is more specialized for performance optimization.
  • Torch[.]nn[.]MaxPool2d is a more general implementation that works across different hardware platforms without specific optimizations for Intel CPUs.  It provides more flexibility and is easier to use within the PyTorch ecosystem, supporting various features like padding, dilation, and return indices.

Background: A floating point exception crash when using torch[.]mkldnn_max_pool2d can occur due to several reasons, often related to invalid or extreme values for parameters like kernel size, stride, or padding. Here are some common causes:

  1. Invalid Kernel Size: If the kernel size is set to an extremely large value or zero, it can lead to division by zero or other invalid operations, causing a floating point exception.
  2. Stride and Padding Issues: Similar to kernel size, setting stride or padding to extreme values can result in invalid calculations. For example, a stride of zero can cause the pooling operation to repeatedly access the same elements, leading to a crash.
  3. Input Tensor Dimensions: If the dimensions of the input tensor are not compatible with the specified kernel size, stride, or padding, it can lead to invalid memory access or calculations.

Vulnerability details: A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch[.]mkldnn_max_pool2d. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-2953

AI and ML, Potential Risk of CVE, Science, System

Similar to previously disclosed side-channel attacks. Manufacturer (AMD) response to researcher (30-03-2025)

Leave a comment

Preface: On 24th Oct, 2024, Researchers from Azure® Research, Microsoft® have provided to AMD a paper titled “Principled Microarchitectural Isolation on Cloud CPUs.” In their paper, the researchers describe a potential side-channel vulnerability on AMD CPUs. AMD believes that existing mitigation recommendations for prime and probe side-channel attacks remain applicable to the presented vulnerability.

Background: A two-bit saturating up-down counter is a type of counter used in computer architecture, particularly in branch prediction mechanisms. Here’s a brief overview:

  • Two-bit: The counter uses two bits, allowing it to represent four states (00, 01, 10, 11).
  • Up-down: The counter can increment (count up) or decrement (count down) based on the input signal.
  • Saturating: The counter does not wrap around when it reaches its maximum (11) or minimum (00) value. Instead, it stays at these values if further increments or decrements are attempted.
How It Works:
  1. States: The counter has four states: 00, 01, 10, and 11.
  2. Incrementing: If the counter is at 11 and receives an increment signal, it remains at 11. Similarly, if it is at 00 and receives a decrement signal, it stays at 00.
  3. Usage: These counters are often used in branch prediction to keep track of the history of branch outcomes and make predictions based on this history.

Ref: The pattern history table (PHT) branch architecture is an example of an architecture using two-bit saturating up-down counters. It contains a table of two-bit counters used to predict the direction for conditional branches.

About Branch History Leak:

Researchers from The Harbin Institute of Technology have shared with AMD a paper titled “Branch History LeakeR: Leveraging Branch History to Construct a New Side Channel-Theory and Practice” that demonstrates a side channel attack using the Global History Register (GHR).  The GHR is used to assist in conditional branch prediction. The researchers note that the GHR is shared between different security domains and may retain data after a security domain switch.  After a return to the user-space, the researchers were able to infer the direction of recently executed conditional branches.

Official announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7026.html

Potential Risk of CVE, Under our observation

CVE-2025-30217: SQL injection on Frappe web application framework (27th Mar 2025)

Leave a comment

Preface: The Frappe Framework comes equipped with a wide range of built-in tools and features that accelerate the development process. Developers can leverage ready-to-use modules, templates, and components to create applications quickly.

Background: Frappe Framework – A full-stack web application framework written in Python and Javascript. The framework provides a robust foundation for building web applications, including a database abstraction layer, user authentication and a REST API. Frappe UI: A Vue-based UI library to provide a modern user interface.

Remark: Frappe UI: A Vue-based UI library to provide a modern user interface. The Frappe UI library provides a variety of components that can be used to build single-page applications on top of the Frappe Framework.

Vulnerability details: SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information.

Ref: The Frappe web application framework can be vulnerable to SQL injection attacks if it constructs SQL commands using externally-influenced input from an upstream component without properly neutralizing special elements.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-30217

AI and ML, Potential Risk of CVE

CVE-2025-30219: About RabbitMQ (26th Mar 2025)

Leave a comment

Preface: Message queues are quite important in machine learning for several reasons:

  1. Decoupling Components: They allow different parts of a machine learning system to operate independently. For example, data producers (like sensors or user inputs) can send data to a queue, and data consumers (like preprocessing units or models) can process this data at their own pace.
  2. Asynchronous Processing: Machine learning tasks, especially training and inference, can be resource-intensive and time-consuming. Message queues enable these tasks to be processed asynchronously, ensuring that the system remains responsive and efficient.
  3. Scalability: By using message queues, you can easily scale your machine learning system. Multiple consumers can process messages from the queue simultaneously, allowing the system to handle larger workloads without bottlenecks.

Background: RabbitMQ can be quite helpful in AI applications! RabbitMQ is an open-source message broker that facilitates communication between different parts of a system asynchronously. Here are some ways it can assist AI:

  1. Task Orchestration: RabbitMQ can manage and distribute tasks across various AI models and services, ensuring efficient processing and load balancing.
  2. Handling Asynchronous Requests: It can queue up inference requests and process them asynchronously, which is particularly useful for resource-intensive AI models.
  3. Data Queuing: RabbitMQ can queue data for processing, allowing AI systems to handle large volumes of data in a controlled manner.

If you enable the management Plugin, you will be able to use not only the webUI but also the HTTP API. In fact, the WebUI is a wrapper around the HTTP API.

Vulnerability details: RabbitMQ is a messaging and streaming broker. Versions prior to 4.0.3 are vulnerable to a sophisticated attack that could modify virtual host name on disk and then make it unrecoverable (with other on disk file modifications) can lead to arbitrary JavaScript code execution in the browsers of management UI users.

When a virtual host on a RabbitMQ node fails to start, recent versions will display an error message (a notification) in the management UI. The error message includes virtual host name, which was not escaped prior to open source RabbitMQ 4.0.3 and Tanzu RabbitMQ 4.0.3, 3.13.8.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2025-30219

Potential Risk of CVE

CVE-2025-24514: Security Focus of K8s (Kubernetes) 24th Mar 2025

Leave a comment

Preface: A Kubernetes (K8s) sidecar controller is a custom controller designed to manage sidecar containers within a Kubernetes Pod. Sidecar containers are secondary containers that run alongside the main application container in the same Pod. They provide additional functionalities such as logging, monitoring, security, or data synchronization without altering the primary application code.

Background: Ingress annotations in Kubernetes can be used to inject configuration under specific conditions. For example, if you are using an NGINX ingress controller, you can use annotations to add custom configuration snippets. This is often done to handle specific routing rules, security settings, or other custom behaviors.

However, it’s important to be cautious with these annotations, as they can potentially introduce security vulnerabilities. For instance, certain annotations like mirror-target and mirror-host have been found to allow arbitrary configuration injection, which can lead to remote code execution and other security risks.

Vulnerability details:  A security issue was discovered in ingress-Nginx where the “auth-url” ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-Nginx controller.

Note that in default installation, the controller can access all Secrets cluster-wide.

Official announcement: The vulnerability is rated a CVSS 9.8 and is tracked with the following identifiers: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974. Please refer to the link for details

https://nvd.nist.gov/vuln/detail/CVE-2025-1974

https://nvd.nist.gov/vuln/detail/CVE-2025-24514

https://nvd.nist.gov/vuln/detail/CVE-2025-1098

https://nvd.nist.gov/vuln/detail/CVE-2025-1097

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-53025: Transient DOS can occur while processing UCI command (24-03-2025)

Leave a comment

NVD Published Date: 03/03/2025
NVD Last Modified: 03/06/2025

Preface: The OpenWrt Project is a Linux operating system targeting embedded devices. Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. For developers, OpenWrt is the framework to build an application without having to build a complete firmware around it.

Background: Qualcomm’s FastConnect™ 7900 is embedded in the Snapdragon 8 Gen 3. This connectivity system is AI-optimized and integrates Wi-Fi 7, Bluetooth, and Ultra Wideband (UWB) technologies, providing unparalleled performance across mobile, compute, and XR experiences. The Snapdragon 8 Gen 3 firmware integrates cutting-edge technologies such as generative AI, enhanced camera capabilities, console-defying mobile gaming, and studio-quality lossless audio.

Remark: The Snapdragon 8 Gen 3 platform includes embedded firmware.

Vulnerability details:  The Qualcomm UCI command can encounter wraparound in scenarios where an integer overflow occurs during calculations. This happens when the logic assumes that the resulting value will always be larger than the original value, leading to a transient denial of service (DOS) condition.

Ref: Due to the combination of the command injection in the openwrt/imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision. The issue consists of two main components:

  1. Command Injection in Imagebuilder: During image builds, user-supplied package names are incorporated into make commands without proper sanitization. This allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key.
  2. Truncated SHA-256 Hash Collisions: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to “poison” the artifact cache and deliver compromised images to unsuspecting users.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-53025

Potential Risk of CVE

CVE-2025-30472: Corosync Stack buffer overflow (23rd Mar 2025)

Leave a comment

Preface: Even with the popularity of IP phone SIP trunking, the public telephone network still relies on PABX (Private Automatic Branch Exchange) systems in many cases. SIP trunking allows businesses to connect their IP PBX systems to the Public Switched Telephone Network (PSTN) using the Session Initiation Protocol (SIP), which facilitates voice and data communication over the internet.

Background: Gentoo-based clusters are groups of computers running the Gentoo Linux distribution, configured to work together to perform tasks or provide services. These clusters can be designed for various purposes, such as High Availability (HA), High Performance Computing (HPC), High Throughput Computing (HTC), andHigh Efficiency Computing (HEC).

Gentoo’s flexibility and configurability make it well-suited for building clusters. Many modern Gentoo-based clusters use the Corosync messaging layer and the Pacemaker cluster resource manager. The Corosync Cluster Engine is a group communication system with additional features for implementing high availability within applications. The project provides four C API features: A closed process group communication model with virtual synchrony guarantees for creating replicated state machines.

Even with the popularity of IP phone SIP trunking, the public telephone network still relies on PABX (Private Automatic Branch Exchange) systems in many cases. SIP trunking allows businesses to connect their IP PBX systems to the Public Switched Telephone Network (PSTN) using the Session Initiation Protocol (SIP), which facilitates voice and data communication over the internet. While SIP trunking can eliminate the need for physical PSTN gateways, it often still requires a PBX system to manage internal and external calls1. This setup allows businesses to leverage the benefits of modern IP-based communication while maintaining connectivity with traditional telephone networks.

Vulnerability details: Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-30472

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-24201: iOS, iPadOS, and macOS – WebKit Out-of-Bounds Write Vulnerability Security updates (20-03-2025)

Leave a comment

NVD Published Date: 03/11/2025
NVD Last Modified: 03/14/2025

Preface: WebKit is a web browser engine used by Safari and other applications across various platforms like macOS, iOS, Linux, and Windows. It processes web content, including JavaScript, HTML, and CSS.

Background: The Web Content sandbox is a security feature within WebKit that isolates web content from the rest of the system. This means that any potentially harmful web content, such as malicious scripts, is contained within a restricted environment, preventing it from affecting other parts of the system. This sandboxing helps protect users from vulnerabilities and exploits that could arise from visiting compromised websites.

The Web Content sandbox in WebKit uses several shared libraries (.so files) to function properly. These libraries are essential for various operations within the sandboxed environment. Some common libraries that might be involved include:

  1. libwebkit2gtk-4.0.so: This is the main WebKit library for GTK-based applications.
  2. libjavascriptcoregtk-4.0.so: This library handles JavaScript execution within WebKit.
  3. libWPEWebKit.so: Used in WebKit for embedded systems.
  4. libWPEBackend-fdo-1.0.so: Provides backend functionality for WebKit on embedded system.

These libraries help ensure that web content is processed securely and efficiently within the sandbox.

Vulnerability details: An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

Official announcement: Please refer to the following link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-24201

antihackingonline.com