CVE-2026-38973: About mrubyc design weakness through release 3.4.1. (9th Jul 2026)

Preface: mruby/c remains active in certain industry scenarios that require Ruby’s rapid development capabilities but are limited by hardware constraints that standard mruby (which requires more memory) cannot support. It is widely used in:

• Internet of Things (IoT) edge devices.

• Factory automation and industrial sensors (especially favored by Japanese engineering companies).

• Custom firmware requiring lightweight, high-efficiency script engines embedded in C code.

Background: Which type of IoT devices use mruby/c?

mruby/c is used in resource-constrained, battery-powered IoT devices that require concurrent tasks but lack the memory to run a full operating system. Because its virtual machine runs on as little as 20 KB of RAM, it is deployed in hardware environments where other high-level languages like MicroPython or standard mruby (which requires >100 KB) are too heavy.

When a method lookup fails across the normal inheritance chain, the virtual machine invokes a specialized, static “builtin fallback routine” inside mrbc_find_method(). Because the bytecode execution pointer (pc) or target ID array indexes are processed directly within the loop logic without an explicit boundary assertion check, malicious or unexpectedly formatted bytecode can trigger an out-of-bounds read.

Why does a microcontroller use a Virtual Machine? Unlike a system virtual machine (like VMware or VirtualBox) that emulates an entire computer system or operating system, a programming language VM (like the Java Virtual Machine or the mruby/c VM) acts as a software execution engine.

•               The Process: Your Ruby code is first compiled into bytecode.

•               The VM’s Job: The mruby/c VM reads this bytecode step-by-step and translates it into physical instructions the ESP32 chip can understand.

Vulnerability details: mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().

Remedy: If you are compiling custom firmware using embedded mruby/c, you can fix this risk by following the repository changes:

1.             Pull the official fixed code directly from the mruby/c GitHub repository.

2.             Recompile your source directory to ensure that both the mrbc_find_method() out-of-bounds read and any related macro handlers are updated on your target MCU.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-38973

CVE-2026-25268: Stack-based Buffer Overflow in WLAN Host  (8th Jul 2026)

Preface: The vulnerability’s entry point: The memory corruption in the Qualcomm driver is not caused by parsing Radiotap, but rather by the driver parsing invalid HT40 channel layout elements (HT Capabilities / HT Operation IEs) carried in 802.11 management frames (such as Beacon, Probe Response, or Channel Switch Announcement) sent from the remote base station (AP).

Background: The qcacld (Qualcomm Atheros Closed Source / Prima WLAN Driver) is exactly the WLAN host driver for Qualcomm-based wireless chips. It runs on the main operating system and manages the Wi-Fi hardware, translating between the OS network stack and the firmware on the wireless module.

The qcacld (specifically qcacld-2.0 or qcacld-3.0) codebase handles everything related to wireless connections, including supplicant communication, 802.11 association, and radio management. It works alongside the chip-specific firmware (e.g., WCNSS) and hardware configuration files (like qca_cld/WCNSS_qcom_cfg[.]ini) to ensure proper Wi-Fi and Bluetooth coexistence.

Vulnerability details: CVE-2026-25268 is a memory corruption vulnerability (stack-based buffer overflow) affecting WLAN host drivers. It is triggered during dynamic channel switching operations when the system improperly processes invalid HT40 (High Throughput 40MHz) channel layouts.

Core Technical Details

  • CWE Identifier: CWE-119 (Memory Corruption / Buffer Overflow)
  • CVSS Severity: High (8.8)
  • Vector: Local network
  • Impact: Allows for the corruption of memory, which can lead to application crashes, system instability, or potential arbitrary code execution.

Affected Systems

This flaw specifically impacts Wi-Fi/WLAN host driver components and has been documented in major hardware vendors such as Qualcomm.

Mitigation

Because this flaw is usually tied to vendor-specific firmware or driver code, the primary path to remediation involves patching your wireless infrastructure or devices.

  1. Apply Manufacturer Updates: Monitor your vendor’s security bulletins for firmware upgrades that address this issue.
  2. Consult Vendor Advisories: Review the relevant official updates, such as the Qualcomm Security Bulletin, to identify the specific patched driver versions for your affected hardware.
  3. Network Isolation: Until patches can be deployed, consider isolating potentially vulnerable wireless devices from critical network segments to limit your attack surface.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2026-bulletin.html

Security Bulletin: NVIDIA ConnectX and BlueField – June 2026 (CVE-2025-23351 and CVE-2025-23350) 7th Jul 2026

Preface: While tech giants like Google rely on custom TPUs to cut costs and scale internal models like Gemini, NVIDIA remains globally dominant. This is because AWS and other cloud providers do offer NVIDIA H100s Amazon EC2 P5 Instances, and NVIDIA possesses an unmatched software ecosystem and universal hardware compatibility.

The NVIDIA ConnectX and BlueField command interface allows host software and firmware to communicate directly using the hardware’s internal mlx5 messaging layout. When Single Root I/O Virtualization (SR-IOV) is enabled, a local user or Virtual Machine (VM) interacting with a Virtual Function (VF) gains direct hardware access through this command interface to accelerate network capabilities.

Background: NVIDIA Secuirty Bulletin stated that a design weakness where local users with VF access could cause out-of-bounds write. However, there is ICM Page Limiting feature that the command interface enforces rules that prevent unprivileged guest users from overloading the server. Administrators can use the page_limit feature to cap the firmware interface memory (Internal Context Memory / ICM) that a rogue VF can pin down, avoiding host resource exhaustion? Do you think this function operate well in secure by design?

Answer: No, the ICM Page Limiting function does not operate well on its own under a strict “Secure by Design” philosophy when a severe memory corruption flaw like CVE-2025-23351 or CVE-2025-23350 is present.

While ICM Page Limiting is an excellent operational control for managing fair resource allocation, it falls short as a primary security defense because of how the two features interact at the architecture level. For details, please refer to attached infographic.

Vulnerability details:

CVE-2025-23351 and CVE-2025-23351 – NVIDIA ConnectX and BlueField contain a vulnerability in the command interface where a local user with virtual function (VF) access may cause a write out of bounds by crafted input. A successful exploit of this vulnerability may lead to arbitrary code execution on the device.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5699

CVE-2026-24270: About NVIDIA AIStore framework (6th July 2026)

Official published: 30th June 2026

Preface: Tailoring AI training for petascale environments (hundreds of GPUs/TPUs) requires distributed parallelism, robust fault tolerance, and specialized hardware-aware data pipelines. It is essential to balance computational scale across memory, storage bandwidth, and communication.

Background: NVIDIA AIStore is a lightweight, distributed object storage system built from scratch and specifically tailored for petascale AI training and inference workloads. It acts as a high-performance, horizontally scalable storage middleware designed to keep powerful GPUs fed with data and eliminate I/O bottlenecks.

What NVIDIA AIStore Actually Manages? Instead of routing GPU math, AIStore acts as an ultra-fast, horizontally scalable storage middleware to feed those GPUs. Its job is to eliminate I/O bottlenecks so your multi-dimensional parallel cluster doesn’t sit idle waiting for data.

Immediately Invoked Function Expression (IIFE) is a JavaScript design pattern where a function is defined and executed immediately. It creates an isolated local scope, preventing variables from polluting the global environment. IIFE is a purely software-level coding structure used in web development and Node.js.

When Would JavaScript See It?The only exception is if you are running a local Node.jsapplication directly on your machine (not inside a browser) and you explicitly write code to read the $HOME/.config/ais/cli/auth[.]token file.

Ref: A Bearer MALFORMED_OR_EMPTY_STRING pattern represents an API authorization header request where the actual security token is missing, null, broken, or literally replaced by an error message string (e.g., Authorization: Bearer undefined).

While this is fundamentally a client-side programming error, it is highly dangerous to backend systems because of how poorly written security middleware handles it.

Vulnerability details: CVE-2026-24270 NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5849

CVE-2026-24260: NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time-of-use race condition. (3rd July 2026)

Preface: The core difference between the NVIDIA Container Toolkit and the NVIDIA GPU Operator is their scope of management: the NVIDIA Container Toolkit is a low-level component that enables individual container runtimes (like Docker or containerd) to talk to a local GPU, while the NVIDIA GPU Operator is a high-level orchestration system that automatically deploys and manages that toolkit—along with drivers and monitoring software—across an entire Kubernetes cluster.

Background: The NVIDIA Container Toolkit is a collection of libraries and utilities that allows containers (like Docker, Podman, and Kubernetes) to automatically detect and leverage NVIDIA GPUs. It handles the heavy lifting of mapping GPU devices and mounting necessary driver libraries directly into the container.

The toolkit is made up of a few core components that work together behind the scenes:

•NVIDIA Container Toolkit CLI (nvidia-ctk): The main command-line tool used to configure container runtimes to use NVIDIA GPUs. It sets up the backend configurations for tools like Docker, containerd, and CRI-O.

•NVIDIA Container Runtime (nvidia-container-runtime): A wrapper around standard low-level container runtimes (like runC) that injects the required GPU devices and drivers when a container starts.

•NVIDIA Container CLI (nvidia-container-cli): The low-level utility that inspects the host environment, enumerates GPUs, and configures the container execution environment.

•NVIDIA Container Library (libnvidia-container): The underlying programming library that provides the API to construct and manage the GPU-accelerated containers.

•NVIDIA CDI Hooks (nvidia-cdi-hook): Uses the open standard Container Device Interface (CDI) to seamlessly specify and allocate GPU devices to containers.

Vulnerability details: CVE-2026-24260 NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time-of-use race condition. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, and data tampering.

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5850

CVE-2026-13592: Vulnerability was detected in liftoff-sr CIPster, Rockwell/Allen Bradley PLCs), you must be vigilant! (30-6-2026)

Preface: CIPster is an EtherNet/IP™ stack because it provides the software architecture required to implement the Common Industrial Protocol (CIP) over standard Ethernet, TCP, and UDP networks.

Background: CIPster is an open-source, EtherNet/IP™ stack written in C++.

  • Its Role: It is maintained under the GitHub organization liftoff-sr. It allows a Linux-based device to emulate an industrial “slave/adapter” device.
  • Its Scope: It only handles communication over EtherNet/IP (the Common Industrial Protocol or CIP, commonly used by Rockwell/Allen-Bradley PLCs). It does not natively handle cloud ingestion, database logging, or security protocols required for cloud routing.

To handle communication over EtherNet/IP, liftoff-sr/CIPster exposes an initialization and execution loop API. Because CIPster is a C++ port of the C-based OpENer stack, its implementation follows a structured lifecycle: initializing the adapter, registering assembly objects (I/O tags), and feeding data into a network socket service loop.

Vulnerability details: A vulnerability was detected in liftoff-sr CIPster up to e8e9dba09bf56962807d3504b783ccdb6287f3e4. Affected by this issue is the function BufWriter::append of the component EtherNet IP Message Handler. Performing a manipulation results in out-of-bounds write.

Impact: Remote exploitation of the attack is possible. The exploit is now public and may be used.

Recommendation: This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.

The patch is named 3a0159ed43125dcd024a1965f0289cb186bae9ff. To fix this issue, it is recommended to deploy a patch.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-13592

https://github.com/liftoff-sr/CIPster/issues/48

CVE-2026-10646 – Use-After-Return in Zephyr BSD-Sockets contains design weakness (30-6-2026)

Preface: Zephyr’s BSD-sockets are a networking API rather than a feature of a specific off-the-shelf industrial robot. Zephyr RTOS is used across embedded robotics in custom, edge-computing, and modular ROS 2 networks.

Background: Zephyr’s BSD Sockets API is a compact, optimized subset designed specifically for resource-constrained Real-Time Operating Systems (RTOS), unlike the complete, full-featured POSIX standard used in systems like Linux or macOS.

Zephyr’s API acts as the foundational hardware abstraction layer that allows high-level distributed coordination systems like Lingua Franca to control microcontrollers. It translates high-level logical commands into real-time, hardware-specific actions across physical nodes without the developer needing to manage complex, low-level concurrency.

Unlike standard desktop operating systems that frequently allocate and duplicate memory dynamically for DNS data, Zephyr utilizes a linked list struct zsock_addrinfo tied directly to the native net_buf (network buffer) infrastructure. This minimizes heap allocations and reduces overall RAM overhead.

Vulnerability details: The core trigger for this vulnerability is actually “Timeout followed by a Retry.” When the semaphore wait times out, getaddrinfo() returns an -EAGAIN error and immediately initiates a second retry query. When doing so, it overwrites ai_state->dns_id. This turns the first query into an un-cancellable “orphan query” lingering in the system workqueue (sysworkq).

Ref: A semaphore timeout (or “Semaphore Timeout Period Has Expired” error) is a system alert indicating that a program or device failed to complete a data transfer or process within the time allotted by your computer’s operating system.

If you are developing on Zephyr versions v4.0.0 through v4.4.0, ensure you pull the latest patch for CVE-2026-10646, which specifically addresses a known memory bug inside this internal getaddrinfo/dns_resolve_cb semaphore flow during extreme timeout conditions.

Note: If a late, delayed DNS response arrived over UDP (or if the resolver’s internal timeout work queue triggered), dns_resolve_cb() executed against that stale stack pointer. An attacker could spoof the 16-bit transaction ID over the network to overwrite critical memory areas, causing a system crash or remote code execution.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-10646

CVE-2026-53311: A memory handling vulnerability in the FUSE subsystem of the Linux Kernel. (2026-06-29)

Preface: KMSAN (Kernel Memory Sanitizer) was developed by Google. It is a dynamic error detector for the Linux kernel that finds uninitialized memory accesses.

Background: The main feature of fuse_dentry_revalidate() in Linux is to verify and refresh the validity of a directory entry (dentry) and its associated inode in the kernel’s cache before they are used. It bridges the gap between the kernel’s Virtual File System (VFS) and the userspace FUSE daemon.

The frequency of fuse_dentry_revalidate() calls in an HPC process is highly frequent and scales directly with metadata-intensive file operations. In a typical High-Performance Computing (HPC) workload, this function can be triggered millions of times per second, often becoming a major performance bottleneck due to excessive network round-trips to the storage server.

The Linux Kernel VFS (Virtual File System) calls fuse_dentry_revalidate() every time a process attempts to look up, open, or stat a file path to verify if the cached directory entry (dentry) is still valid.

HPC applications frequently invoke this function due to specific behavioral patterns:

  • Massive File Scanning: MPI jobs searching through deep directory structures or loading millions of small shared data files.
  • Shared Library Loading: Thousands of parallel processes concurrently running ld.so, which searches LD_LIBRARY_PATH and issues repetitive stat() and open() calls on shared files (e.g., Python workloads loading packages like NumPy).
  • N-to-N File Access: Multiple compute nodes constantly polling or reading files created by other nodes, forcing the kernel to re-validate the cache.

Vulnerability details: CVE-2026-53311 is a memory handling vulnerability in the FUSE (Filesystem in Userspace) subsystem of the Linux Kernel. The primary impact is system availability loss and potential internal kernel memory disclosure.

Attack Vector: Exploitation requires local access. An attacker must be able to mount a FUSE filesystem or trigger fuse_dentry_revalidate through file operations like opening a path.

How to Mitigate:Update Kernel: The issue is resolved by upgrading your Linux kernel to 6.18.34, 7.0.10, or applying the upstream patch across applicable stable releases.

Official announcement: Please refer to the link for detailshttps://www.tenable.com/cve/CVE-2026-53311

CVE-2026-52966: A design flaw in the Linux kernel direct rendering manager (DRM). Don’t underestimate it! (26th Jun 2026)

Preface: Syzbot is an automated testing system operated by Google that continuously tests the Linux kernel to discover hidden bugs, crashes, and security vulnerabilities. It runs a public Syzbot control panel that lists all active bugs, helps developers track fix progress, and sends crash reports directly to Linux community mailing lists.

Background: Linux kernel’s Direct Rendering Manager (DRM) is deeply connected to both the GPU shader cores and the rendering process. It acts as the “traffic cop” and resource manager for your graphics hardware.

The details below are an expansion of the remedies associated with the infographic in this article.

idrobj = idr_replace(&file_priv->object_idr, obj, handle);

idr is the mechanism used in the Linux core to map integer IDs (such as handle) to indicators (such as obj). Idr_replace will replace the old object originally mapped at the handle position with the new obj (obj here is usually NULL, which means releasing or clearing the mapping). Return value: This function returns the old indicator originally stored at this location. If the replacement is successful and was originally empty, NULL should be returned.

spin_unlock(&file_priv->table_lock);

Function: Release the spinlock (Spinlock). Technical details: table_lock is a protection lock set to prevent multiple execution threads from modifying the IDR table at the same time. After modifying the table (executing idr_replace), it must be unlocked immediately so that other threads can access the table.

WARN_ON(idrobj != NULL);

Function: Error checking and warning. Technical details: This is a core debugging mechanism.

Vulnerability details: CVE-2026-52966 is a logic bug in the Linux kernel . It happens when the system accidentally mixes up the old and new addresses of an internal tracking object . This specific mistake occurs during the DRM (Direct Rendering Manager) driver’s “change handle” process.

The Result: The system gets confused, causing system stability issues (like crashes or errors).

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-52966

CVE-2026-55447: A critical security vulnerability in the AI workflow platform Langflow versions prior to 1.9.2  (25th June 2026)

Preface: AI models do not use Langflow to generate or write code for you. When a large language model (like ChatGPT, Claude, Gemini, or specialized coding assistants) writes code in response to your prompts, it uses its own internal neural network, parameters, and training data.

The relationship between AI and Langflow is actually the exact opposite: human developers use Langflow to build, connect, and manage AI models.

Background: Langflow is an open-source, visual low-code framework specifically built to design, prototype, and deploy Artificial Intelligence (AI) workflows, multi-agent systems, and Retrieval-Augmented Generation (RAG) applications. It functions as a visual orchestration layer that abstracts complex Python AI code into drag-and-drop components.

Langflow features an embedded AI sidekick called the Langflow Assistant. The coolest part about this feature is its “inception-style” architecture: the Langflow Assistant is actually powered by a hidden Langflow graph running behind the scenes on your local server. When you ask it a question or give it a command, it runs an internal AI flow to alter or build the external AI flow you are working on.

When developers use Langflow, the strongest and most effective type of coding is Python-based integration, data orchestration, and AI pipeline customization.

Security Focus: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to the vulnerability.

Ref: Controlling the files ingested into a Retrieval-Augmented Generation (RAG) pipeline means curating, filtering, and optimizing your source data before it is processed by the search and language models.

This process directly dictates the quality of your AI’s responses and prevents the system from “hallucinating” or wasting resources on irrelevant noise.

Affected Nodes on Your Canvas

Any flow using the following visual components prior to version 1.9.2 is vulnerable:

  • Read File (FileComponent)
  • Docling nodes (DoclingInlineComponent, DoclingRemoteComponent)
  • NVIDIA Retriever Extraction (NvidiaIngestComponent)
  • Video File (VideoFileComponent) Unstructured API (UnstructuredComponent)

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-55447

antihackingonline.com