CVE-2024-11263 CRITICAL

CVE-2024-11263: arch: riscv: userspace: potential security risk when CONFIG_RISCV_GP=y

Vendor Zephyrproject-Rtos
Product Zephyr
Weakness CWE-270
Published November 15, 2024
Last update November 18, 2024

CVSS base score

9.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols.

Key dates

02Disclosure timeline

November 15, 2024 CVE published
November 18, 2024 Record updated