CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code
low-riskThe product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.
Common Consequences
Detection Methods
Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.
Analyze the device using the following steps: Identify all fabric master agents that are active during system Boot Flow when initial code is loaded from Non-volatile storage to volatile memory. Identify the volatile memory regions that are used for storing loaded system executable program. During system boot, test programming the identified memory regions in step 2 from all the masters identified in step 1. Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.
Real-World Examples (8)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2025-4043 | 6.8 | 0.2% | — |
| CVE-2025-4043 | 6.8 | 0.2% | — |
| CVE-2025-59404 | 7.5 | 0.1% | — |
| CVE-2022-2484 | 8.4 | 0.1% | — |
| CVE-2022-2482 | 8.4 | 0.1% | — |
| CVE-2025-59694 | 6.8 | 0.0% | — |
| CVE-2023-31345 | 7.5 | 0.0% | — |
| CVE-2025-65396 | 6.1 | 0.0% | — |