CVE-2026-23434

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nandlock and nandunlock call into chip-ops.lockarea/unlockarea without holding the NAND device lock. On controllers that implement SETFEATURES via multiple low-lev...

CVE-2023-54104 mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op()

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fslupm: Fix an off-by one test in funexecop 'op-cs' is copied in 'fun-mchipnumber' which is used to access the 'mchipoffsets' and the 'rnbgpio' arrays. These arrays have NANDMAXCHIPS elements, so the index must be...

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989204)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-989204 advisory. In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: gpmi: don't leak PM reference in error path If gpminfcapplytimings fails, the PM...

SUSE CVE-2025-38398

In the Linux kernel, the following vulnerability has been resolved: spi: spi-qpic-snand: reallocate BAM transactions Using the mtdnandbiterrs module for testing the driver occasionally results in weird things like below. 1. swiotlb mapping fails with the following message: 85.926216 qcomsnand...

CVE-2025-38398

In the Linux kernel, the following vulnerability has been resolved: spi: spi-qpic-snand: reallocate BAM transactions Using the mtdnandbiterrs module for testing the driver occasionally results in weird things like below. 1. swiotlb mapping fails with the following message: 85.926216 qcomsnand...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel, which originates in the rawnand submodule of the mtd module, where the allocation of the "user" pointer in the...

SUSE CVE-2022-48778

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: gpmi: don't leak PM reference in error path If gpminfcapplytimings fails, the PM runtime usage counter must be dropped...

CVE-2023-30024

The MagicJack device, a VoIP solution for internet phone calls, contains a hidden NAND flash memory partition allowing unauthorized read/write access. Attackers can exploit this by replacing the original software with a malicious version, leading to ransomware deployment on the host computer...

Hands-On IoT Hacking: Rapid7 at DEF CON 30 IoT Village, Part 1

Rapid7 was back this year at DEF CON 30 participating at the IoT Village with another hands-on hardware hacking exercise, with the goal of teaching attendees' various concepts and methods for IoT hacking. Over the years, these exercises have covered several different embedded device topics,...

Lessons in IoT Hacking: How to Dead-Bug a BGA Flash Memory Chip

Dead-bugging — what is that, you ask? The concept comes from the idea that a memory chip, once it’s flipped over so you can attach wires to it, looks a little like a dead bug on its back. So why would we do this for the purposes of IoT hacking? The typical reason is if you want to extract the...

CVE-2021-27208

When booting a Zync-7000 SOC device from nand flash memory, the nand driver in the ROM does not validate the inputs when reading in any parameters in the nand’s parameter page. IF a field read in from the parameter page is too large, this causes a buffer overflow that could lead to arbitrary code...

CVE-2021-27208

When booting a Zync-7000 SOC device from nand flash memory, the nand driver in the ROM does not validate the inputs when reading in any parameters in the nand’s parameter page. IF a field read in from the parameter page is too large, this causes a buffer overflow that could lead to arbitrary code...

format test

TL;DR How does the Tesla update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14 layer PCB...

Reverse Engineering the Tesla Firmware Update Process

TL;DR How does the Tesla Model S update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14...

Reverse Engineering the Tesla Firmware Update Process

TL;DR How does the Tesla update its firmware? What did we find when reverse engineering the display and instrument cluster? Here’s the result of a couple of weeks work, working on a real vehicle that mostly worked after we had finished. Part 1: analysing the hardware, complete with a 14 layer PCB...

Bitdefender BOX 2 bootstrap update_setup command execution vulnerability

Summary An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method /api/updatesetup does not perform firmware signature checks atomically, leading to an exploitable race condition TOCTTOU that allows arbitrary execution o...