CVE-2024-7883

CMSE secure state may leak from stack to floating-point registers

Description

When using Arm Cortex-M Security Extensions (CMSE), Secure stack contents can be leaked to Non-secure state via floating-point registers when a Secure to Non-secure function call is made that returns a floating-point value and when this is the first use of floating-point since entering Secure state. This allows an attacker to read a limited quantity of Secure stack contents with an impact on confidentiality. This issue is specific to code generated using LLVM-based compilers.

Remediation

Solution:

  • Recompile affected code using a fixed compiler.

Category

3.7
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.05%
Affected: Arm Ltd Arm Compiler for Embedded
Affected: Arm Ltd Arm Compiler for Embedded FuSa 6.16LTS
Affected: Arm Ltd Arm Compiler for Embedded FuSa 6.21
Affected: Arm Ltd Arm Compiler for Functional Safety 6.6
Affected: Arm Ltd CLang
Published at:
Updated at:

References

Link Tags
https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability

Frequently Asked Questions

What is the severity of CVE-2024-7883?
CVE-2024-7883 has been scored as a low severity vulnerability.
How to fix CVE-2024-7883?
To fix CVE-2024-7883: Recompile affected code using a fixed compiler.
Is CVE-2024-7883 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-7883 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-7883?
CVE-2024-7883 affects Arm Ltd Arm Compiler for Embedded, Arm Ltd Arm Compiler for Embedded FuSa 6.16LTS, Arm Ltd Arm Compiler for Embedded FuSa 6.21, Arm Ltd Arm Compiler for Functional Safety 6.6, Arm Ltd CLang.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.