CWE-1256: Improper Restriction of Software Interfaces to Hardware Features
low-riskThe product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.
Abstraction: Base
Common Consequences
Integrity
→
Modify Memory
Detection Methods
Manual Analysis
Perform a security evaluation of system-level architecture and design with software-aided physical attacks in scope.
Automated Dynamic Analysis
Use custom software to change registers that control clock settings or power settings to try to bypass security locks, or repeatedly write DRAM to try to change adjacent locations. This can be effective in extracting or changing data. The drawback is that it cannot be run before manufacturing, and it may require specialized software.
Real-World Examples (3)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2024-2881 | 6.7 | 0.4% | — |
| CVE-2024-1545 | 5.9 | 0.2% | — |
| CVE-2024-48869 | 6.1 | 0.1% | — |
0
/ 100
low-risk
Active Threat
0/50 · Minimal
Exploit Availability
0/50 · Minimal