CVE-2021-27562

CVSS 5.5 MEDIUMEPSS 3.1%● KEVCWE-787

In short

A flaw in Arm Trusted Firmware M allows untrusted software running on the device to halt the system, overwrite protected security data, or leak sensitive information by improperly calling secure functions. This matters because it breaks the security boundary between trusted and untrusted code.

Technical detail

CWE-787 (out-of-bounds write) in NSPE handler mode permits non-secure world code to invoke secure functions with insufficient validation, enabling arbitrary write access to secure memory regions, data exfiltration, or denial of service. The vulnerability requires local access but does not mandate elevated privileges within the non-secure context.

Summary generated and translated by AI from the official description.

In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mode.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://developer.arm.com/support/arm-security-updates https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/docs/security/security_advisories/svc_caller_sp_fetching_vulnerability.rst https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27562