All news with #memory corruption tag

🔒 Three recent academic studies — GDDRHammer, GeForge, and GPUBreach — describe Rowhammer-style attacks that target GDDR6 on modern GPUs. The first two demonstrate memory-access patterns that can bypass TRR and corrupt GPU page tables, enabling arbitrary reads and writes in video memory and potential escalation into system RAM. GPUBreach goes further by chaining driver flaws to defeat IOMMU-based isolation. While enabling ECC, using HBM, and applying IOMMU mitigations reduce risk, these findings highlight a credible threat to shared GPU/cloud environments.

🛡️ Google’s Pixel team integrated a memory-safe Rust DNS parser into the cellular baseband on Pixel 10 to reduce a class of memory-safety vulnerabilities in a high-risk component. The project adapts the community hickory-proto crate for no_std, adds FFI shims, and builds Rust into the modem firmware via the existing GN/Pigweed build. The team prioritized community support and correctness over aggressive size optimization, reporting a combined code cost of ~371 KB and leaving size pruning to future work.

🔒 Researchers at the University of Toronto demonstrated GPUBreach, a GPU-targeted Rowhammer technique that flips bits in GDDR6 to corrupt GPU page tables and subvert device memory controls. An unprivileged CUDA kernel can obtain arbitrary read/write access to GPU memory and then exploit NVIDIA driver flaws to escalate to CPU privileges and spawn a root shell. The work, due at IEEE S&P 2026, includes technical materials and shows impacts from key leakage to ML model manipulation.

⚠️ New research describes GPUBreach, a set of GDDR6 RowHammer techniques that corrupt GPU page tables to gain arbitrary GPU memory read/write and, in GPUBreach's case, full host control. The work shows chained GDDR6 bit-flips can corrupt trusted driver state and trigger kernel memory-safety bugs in NVIDIA drivers even with the IOMMU enabled. Related efforts (GDDRHammer, GeForge) also achieve GPU-side arbitrary read/write, though some require IOMMU to be disabled. Enabling ECC reduces risk but is not a guaranteed mitigation for all platforms.

⚠️ A new attack called GPUBreach demonstrates that Rowhammer-induced bit flips in GDDR6 memory can corrupt GPU page tables and allow an unprivileged CUDA kernel to gain arbitrary GPU memory read/write access. The University of Toronto team showed this capability can be chained into CPU-side privilege escalation by exploiting memory-safety bugs in the NVIDIA driver, potentially yielding a full system compromise up to a root shell. Critically, the attack works with IOMMU enabled and remains unmitigated on consumer GPUs without ECC. Full technical details and a reproduction package will be published on April 13.

⚠️ A critical out-of-bounds read vulnerability (CVE-2026-3055), disclosed by Citrix on March 23, is being actively exploited against NetScaler ADC and NetScaler Gateway appliances configured as SAML Identity Providers. The flaw (CVSS v4.0 9.3) allows unauthenticated attackers to leak memory contents via crafted SAMLRequest payloads. Citrix and security researchers urge immediate patching to the listed firmware releases and recommend checking NetScaler configurations for SAML IDP profiles.

🔍 A critical input-validation flaw in Citrix NetScaler ADC and NetScaler Gateway (CVE-2026-3055, CVSS 9.3) is being actively probed in the wild, security firms Defused Cyber and watchTowr report. The bug can cause memory overread and may leak sensitive data when appliances are configured as a SAML Identity Provider. Attackers are enumerating auth methods via /cgi/GetAuthMethods to identify vulnerable SAML IDP setups. Organizations should apply vendor patches immediately.

🔒 Cisco Talos disclosed multiple vulnerabilities impacting Canva Affinity, TP-Link Archer AX53, and HikVision face recognition terminals. Researchers identified 19 EMF-related issues in Canva Affinity, including out-of-bounds reads and a type confusion that can lead to memory corruption and arbitrary code execution. TP-Link’s AX53 contains 10 vulnerabilities across tmpServer, tdpServer and SSH hostkey handling that range from buffer overflows to write-what-where flaws and credential exposure via MITM. A HikVision SADP XML parser stack-based buffer overflow can be triggered by a malicious network packet. All identified issues have been patched following coordinated disclosure; users should apply vendor updates and consider Snort rule coverage for detection.

⚠ Citrix has published updates for NetScaler ADC and NetScaler Gateway to fix two vulnerabilities, including a critical memory overread (CVE-2026-3055) that can leak sensitive information from appliance memory. Exploitation requires specific configurations—SAML IdP for CVE-2026-3055 and gateway or AAA roles for CVE-2026-4368. Affected builds include 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23; customers should inspect configurations and apply patches immediately.

🔒 Apple has backported a WebKit memory-corruption fix, tracked as CVE-2023-43010, to older iOS and iPadOS releases after the flaw was observed in the Coruna exploit kit. The original mitigation shipped in iOS 17.2 on December 11, 2023; Apple’s recent updates — including iOS 15.8.7 and iOS 16.7.15 — extend protections to devices that cannot run the latest OS. Users with affected legacy devices are advised to install the available backports to mitigate exploitation risk.

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2026, after observing evidence of active exploitation. The entries include CVE-2026-21385, a memory corruption issue impacting multiple Qualcomm chipsets, and CVE-2026-22719, a command injection vulnerability affecting Broadcom VMware Aria Operations. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged flaws by the required due dates; CISA also strongly urges all organizations to prioritize timely remediation. CISA will continue to add vulnerabilities that meet its KEV criteria.

🔒 Google released March 2026 Android updates addressing 129 security flaws, including an actively exploited zero-day, CVE-2026-21385, in a Qualcomm display Graphics subcomponent. Qualcomm says the bug is an integer overflow/wraparound that local attackers can use to trigger memory corruption. Google also fixed 10 critical System/Framework/Kernel vulnerabilities and published two patch levels (2026-03-01 and 2026-03-05); Pixel devices receive fixes immediately while other vendors may take longer to roll them out.

⚠ Google confirmed that CVE-2026-21385, a high-severity buffer over-read in a Qualcomm graphics component used on Android devices, has been observed exploited in the wild. Qualcomm characterizes the defect as an integer overflow that permits memory corruption when user-supplied data is written without checking buffer space. The issue (CVSS 7.8) was reported to Qualcomm by Google's Android Security team on December 18, 2025, and customers were notified on February 2, 2026. Google’s March 2026 security bulletin includes this fix among 129 patches and notes indications of limited, targeted exploitation.

🔒A pair of vulnerabilities in EnOcean SmartServer IoT firmware (<=4.60.009) can be exploited via crafted LON IP-852 management messages to execute arbitrary OS commands or trigger memory corruption. CVE-2026-20761 (command injection) carries a CVSS 3.1 score of 8.1 and permits remote command execution; CVE-2026-22885 is an out-of-bounds read (CVSS 3.1 score 3.7) that can leak memory. EnOcean advises updating to SmartServer 4.6 Update 2 (v4.60.023) or later, and CISA recommends isolating devices, avoiding internet exposure, using secure remote access, and monitoring for suspicious activity.

🔒 Apple released updates for iOS, iPadOS, macOS Tahoe, tvOS, watchOS and visionOS to fix an actively exploited zero-day, tracked as CVE-2026-20700, a memory corruption flaw in dyld that can permit arbitrary code execution when an attacker has memory write capability. Google Threat Analysis Group (TAG) is credited with reporting the issue. Apple said the bug may have been used in extremely sophisticated targeted attacks and also issued related fixes for CVE-2025-14174 and CVE-2025-43529. Patches are available for supported recent devices and additional updates address vulnerabilities in older OS releases.

🔒 Apple issued security updates to fix a zero-day in dyld (CVE-2026-20700) that was exploited in an extremely sophisticated targeted attack against specific individuals. Apple warns an attacker with memory write capability may be able to execute arbitrary code on affected devices. Patches are available in iOS 18.7.5, iPadOS 18.7.5, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3 and visionOS 26.3; users and administrators should install them immediately to reduce risk.

🔒 Schneider Electric disclosed vulnerabilities in EcoStruxure Power Build Rapsody that can cause memory corruption and buffer overflows when importing project (SSD) files. Two tracked issues — CVE-2025-13844 (double free, CVSS 5.3) and CVE-2025-13845 (use-after-free, CVSS 7.8) — may allow local attackers to execute code if a user opens a malicious file. Schneider released regional fixed builds; users should install the appropriate update, restart services, and follow recommended mitigations if patching is delayed.

🔴 On Dec. 19, 2025, MongoDB disclosed MongoBleed (CVE-2025-14847), a critical unauthenticated memory-disclosure in MongoDB Server stemming from handling of zlib-compressed wire messages. An attacker with network access to TCP/27017 can cause the server to return heap memory that may include cleartext credentials, API keys, session tokens, and PII. A public PoC and active exploitation were observed; MongoDB Atlas was auto-patched while self-hosted deployments require immediate manual updates and mitigations such as disabling zlib compression and restricting inbound access.

⚠ MongoDB has issued an urgent advisory for CVE-2025-14847 after researchers identified a high-severity bug in zlib-compressed protocol headers that can cause mismatched length fields. The flaw allows unauthenticated attackers to read uninitialized heap memory and could be chained to execute arbitrary code and gain control of a server. MongoDB recommends immediate upgrades to patched releases and, if unable to update, disabling zlib compression as a temporary mitigation.

⚠️ MongoDB warns administrators to immediately patch a high-severity memory-read vulnerability (CVE-2025-14847) in the Server's zlib implementation that may return uninitialized heap memory to unauthenticated remote actors. The issue can be exploited in low-complexity, no-interaction attacks. MongoDB strongly recommends upgrading to a fixed release right away; if you cannot, disable zlib compression by omitting it from networkMessageCompressors or net.compression.compressors when starting mongod or mongos.