Preface: Software and platforms known to use jsrsasign include CustomJS, ServieNow, Postman, jwt.io, the BitcoinJS library, OpenPGP.js, Google Apps Script, and add-on utilities.

Background: Jsrsasign (RSA-Sign JavaScript Library) is a pure JavaScript cryptographic library designed to handle RSA, ECDSA, and DSA operations, including key generation, digital signature creation/verification, and encryption. It provides the mathematical and structural setup for parsing keys (PKCS#1/5/8) and managing signatures.

Objectives of Specific Code Paths

• ext/rsa[.]js (RSASetPublic/KEYUTIL parsing path):
  • Objective: This path is responsible for initializing an RSA public key by parsing raw data (like a modulus n and exponent e).
  • Function: It takes external key formats—such as JSON Web Keys (JWK) or PEM-encoded strings—and converts them into a internal format that the library can use for cryptographic math.
• ext/jsbn[.]js (BigInteger.modPowInt reduction logic):
  • Objective: This logic performs modular exponentiation (m to power e), which is the core mathematical operation of RSA.
  • Function: It uses an optimized algorithm (often a sliding window or Montgomery representation) to calculate high-power results efficiently on large numbers that standard JavaScript cannot handle. 

Vulnerability details: Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2026-4603

Preface: Electron is a framework enabling developers to build cross-platform desktop applications for macOS, Windows, and Linux by combining web technologies (HTML, JavaScript, CSS) with Node.js and native code. It is open-source, MIT-licensed, and free for both commercial and personal use. JavaScript calling Inter-Process Communication (IPC) is a critical technique, particularly in desktop application frameworks like Electron, to bridge the gap between the isolated renderer process (user interface) and the main process (Node.js backend/OS access.

Background: Electron is popular for building desktop apps—like

VS Code and Slack—because it allows developers to use web technologies (HTML, CSS, JavaScript) to create cross-platform applications. By bundling Chromium and Node.js, it eliminates the need to write separate code for Windows, macOS, and Linux.

Key Facts about CVE-2026-3910

Root Cause: The flaw is a logic error specifically within the V8 engine’s JIT (Just-In-Time) optimization process.

Primary Impact: It allows a remote attacker to execute arbitrary code within the browser’s sandbox environment via a specially crafted HTML page.

Because V8 is the core engine for all Chromium-based software, these vulnerabilities exist in Google Chrome, Microsoft Edge, and Opera—none of which use the Electron framework for their internal logic. Because V8 is the core engine for all Chromium-based software, these vulnerabilities exist in Google Chrome, Microsoft Edge, and Opera—none of which use the Electron framework for their internal logic.

If an attacker uses CVE-2026-3543 to get memory access, they can then use that “foothold” to manipulate the IPC (Inter-Process Communication) and trigger CVE-2026-3910.

Vulnerability details: Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Official announcement: Please refer to the link for details.

https://nvd.nist.gov/vuln/detail/CVE-2026-3910

Preface: Since the details of the vulnerability are not described in detail, based on my interest in the topic, specific details are shown in the attached diagram.

Background: The Navigation API is a standard, modern web platform API, not specific to WebKit’s internal code, but implemented by WebKit (and other browser engines like Chromium and Gecko) for use by web application developers.

To implement the Navigation API in a WebKit-based environment (like Safari) while adhering to the Same-Origin Policy (SOP), you must focus on intercepting and managing navigation events within the same origin.

The Navigation API is designed to work strictly within the current browsing context and only exposes history entries with the same origin (matching protocol, host, and port) as the current page.

Related Mechanisms – Developers can use controlled mechanisms to relax the SOP when legitimate cross-origin communication is necessary: window[.]postMessage(): A method for securely communicating between scripts in different windows or iframes regardless of their origin, using message passing.

Vulnerability details: A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Processing maliciously crafted web content may bypass Same Origin Policy.

CWE-346 is a logic failure where the code tries to check the origin but does it incorrectly (e.g., your WebKit case where it validated the host but ignored the port).

Impact: An attacker could use maliciously crafted web content to bypass SOP entirely, potentially accessing sensitive data from other sites, such as session tokens or credentials.

Official announcement: Fix – Apple addressed this in March 2026 through its new Background Security Improvements system for iOS 26.3.1 and macOS 26.3.1. 

Preface: Intel Xeon W processor UEFI settings differ from consumer Intel Core CPUs, primarily to support enterprise-grade features. Xeon W UEFI (BIOS) includes specialized configurations for ECC RAM management, enhanced virtualization, advanced PCIe lane configuration, and platform-specific stability settings not required for standard desktop systems.

Background: Linux tools can modify fundamental UEFI settings, including variables, boot order, and Secure Boot keys (PK, KEK, db, dbx) using tools like efibootmgr, efitools, and direct /sys/firmware/efi/efivars access. Advanced tools can even modify flash images, though direct firmware flashing is generally manufacturer-dependent.

Strengthening length validation in efivarfs

– before performing memory comparisons to prevent OOB (Out-of-Bounds) access.

Strict Length Match:

Ensure the length of the string to be compared (len)

matches the expected length (name->len) exactly.

Vulnerability details: A potential security vulnerability in UEFI for some Intel Reference Platforms may allow escalation of privilege. Intel is releasing firmware updates to mitigate these potential vulnerability.

CVE-2025-20096: Improper input validation in the UEFI firmware for some Intel Reference Platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable data manipulation. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (high) and availability (high) impacts.

Official announcement: Please refer to the link for details – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01393.html

Preface: AWS launched Kiro to make it the default entry point for cloud development. When developers open Kiro, it is already pre-configured with deep connections to AWS services (such as Lambda, S3, and Bedrock), making “cloud-native development” an out-of-the-box experience. Since Kiro includes an LLM, Kiro is involved in whatever the developer does. The advantage is that any incorrectly programmed code, Kiro will advise. On the other hand, all programmer thinking will also be learned by Kiro!

Background: Visual studio code capable multi-root workspace over a folder. VS Code that allows you to configure multiple distinct folders to be part of the same workspace. Instead of opening a folder as workspace, you open a <name>[.]code-workspace JSON file that lists all folders of the workspace. In Kiro-IDE, if a user clicks “Trust this Workspace” for the [.]code-workspace file, the IDE may incorrectly extend that trust to all folders listed in the JSON. A threat actor can include a folder they control—containing a malicious [.]kiro/scripts[.]json or [.]vscode/settings[.]json—which then executes with the user’s full permissions because the parent workspace was marked as “trusted.”

Vulnerability details: Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. To remediate this issue, users should upgrade to version 0.8.0 or higher.

Official announcement: Please refer to the link for more details –

https://nvd.nist.gov/vuln/detail/CVE-2026-4295

Preface: CVE-2026-0032 and CVE-2026-0038 are very similar in terms of their root cause, impact, and remedies, as they both originate from a logical error in the Android kernel memory protection subsystem.

Background: In the Android Virtualization Framework (AVF), all guest operating systems (like the main Android OS and Microdroid) run at EL1, while the actual hypervisor (pKVM) runs at EL2. In Android downstream kernels (especially those for Qualcomm or MediaTek SoCs), the log details containing 0x%llx (a 64-bit hexadecimal address) represent physical memory ranges being transitioned into an isolated state.

This isolation is a critical security layer used to protect high-value hardware components from the main Android OS.

Key Similarities – Both vulnerabilities reside in the mem_protect[.]c file, which is responsible for enforcing memory access boundaries and managing memory protection between different execution environments (like the kernel and the Secure World).

The “similar” nature of these design weakness lies in how the qcom_scm_assign_mem logic was implemented. In both cases, the system failed to properly validate or constrain memory assignment requests, allowing a local attacker to bypass security restrictions.

Vulnerability details:

CVE-2026-0032 In multiple functions of mem_protect[.]c, there is a possible out-of-bounds write due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Primary Driver – Qualcomm SCM (Secure Channel Manager)

CVE-2026-0038In multiple functions of mem_protect[.]c, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Primary Driver – Qualcomm SCM / pKVM (Protected KVM)

Official announcement: Please refer to the link for details –  

CVE-2026-0038 – https://nvd.nist.gov/vuln/detail/CVE-2026-0038 CVE-2026-0032 – https://nvd.nist.gov/vuln/detail/CVE-2026-0032

Preface: Quoting the second paragraph of the article: Because FortiOS uses reversible encryption ….

Please see the link for article details – https://www.technadu.com/fortigate-edge-intrusions-lead-to-deep-network-compromise-rogue-workstations/623060/

Using reversible encryption in a firewall—or any security system designed to protect credentials—is considered a major security risk because it essentially stores passwords in a format equivalent to plaintext. Reversible encryption allows the encrypted data to be decrypted back into its original form, meaning if an attacker compromises the system, they can obtain the original credentials, rather than just a non-reversible hash.

Background: In Active Directory (AD), abusing the mS-DS-MachineAccountQuota attribute means that an attacker uses its default value (usually 10) to allow ordinary low-privilege users to create new computer accounts in the domain.

A technique known as Resource-Limited Delegation (RBCD) attack. This is the most common form of abuse. If an attacker has specific privileges (such as GenericWrite) on a target server, they can use ms-DS-MachineAccountQuota to create a fake computer account and set it to “act on behalf of others,” thereby impersonating a domain administrator to log in to the target server.

CVE-2025-59718 and CVE-2025-59719 are critical authentication bypass vulnerabilities (CVSS score 9.8) that stem from improper verification of cryptographic signatures (CWE-347) within Fortinet’s SAML implementation

Why these vulnerabilities exist?

Signature Skipping: An unauthenticated remote attacker can send a specially crafted SAML message that the Fortinet device accepts without properly checking it against the trusted Identity Provider (IdP) certificate.

Improper Validation Logic: Because the system fails to correctly validate the XML Digital Signature, it does not confirm if the message actually came from the legitimate IdP or if it was modified in transit.

Administrative Access: By crafting a SAML response that claims to be from a trusted issuer (like sso.forticloud.com) and asserting a privileged identity (like super_admin), attackers can gain full administrative control over the device without needing a valid password or certificate. 

Official announcement: Please see the link for article details:

CVE-2025-59718 – https://nvd.nist.gov/vuln/detail/CVE-2025-59718

CVE-2025-59719 – https://nvd.nist.gov/vuln/detail/CVE-2025-59719

Remedial action:

-Perform the patch operation as recommended by the supplier.

-Use Powershell, Query accounts that have permissions for a specific object.

Get-DomainObjectAcl -Identity “TargetUser” -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match “GenericWrite”}

-Disabling FortiCloud SSO immediately via the CLI (set admin-forticloud-sso-login disable) or GUI.

-Auditing logs for unauthorized administrative logins, particularly from unfamiliar IP addresses or at unusual times.