summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJohn Powell <john.powell@arm.com>2026-06-08 15:22:52 -0500
committerJohn Powell <john.powell@arm.com>2026-06-17 14:46:28 +0000
commitca3909d0f1a1cf80168583fbda5c814d98c4e3e0 (patch)
tree0b0de28119e3867a93c8b7bcf502280ba4ea7c62 /docs
parent8007abbed0a5dcb2a790eb09bbe2079912733b32 (diff)
downloadarm-trusted-firmware-ca3909d0f1a1cf80168583fbda5c814d98c4e3e0.tar.gz
arm-trusted-firmware-ca3909d0f1a1cf80168583fbda5c814d98c4e3e0.zip
docs: add security advisory for CVE-2025-10263
Disclosure: https://developer.arm.com/documentation/112137 Change-Id: I94662c7bf494e5da41d613f3fc5f7c7837741700 Signed-off-by: John Powell <john.powell@arm.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/security_advisories/index.rst2
-rw-r--r--docs/security_advisories/security-advisory-tfv-17.rst103
2 files changed, 105 insertions, 0 deletions
diff --git a/docs/security_advisories/index.rst b/docs/security_advisories/index.rst
index 32979bf3e..f1fd4fdcd 100644
--- a/docs/security_advisories/index.rst
+++ b/docs/security_advisories/index.rst
@@ -21,3 +21,5 @@ Security Advisories
security-advisory-tfv-14.rst
security-advisory-tfv-15.rst
security-advisory-tfv-16.rst
+ security-advisory-tfv-17.rst
+
diff --git a/docs/security_advisories/security-advisory-tfv-17.rst b/docs/security_advisories/security-advisory-tfv-17.rst
new file mode 100644
index 000000000..eeafeace6
--- /dev/null
+++ b/docs/security_advisories/security-advisory-tfv-17.rst
@@ -0,0 +1,103 @@
+Advisory TFV-17 (CVE-2025-10263)
+================================
+
++----------------+-------------------------------------------------------------+
+| Title | TLBI+DSB might complete too early |
++================+=============================================================+
+| CVE ID | `CVE-2025-10263`_ |
++----------------+-------------------------------------------------------------+
+| Date | Reported on 13 August 2025 |
++----------------+-------------------------------------------------------------+
+| Versions | All, up to and including v2.15 |
+| Affected | |
++----------------+-------------------------------------------------------------+
+| Configurations | All platforms containing any of the following cores: (note |
+| Affected | that if even a single affected core is present that all |
+| | cores must implement the workaround, which the TFA patch |
+| | does) |
+| | |
+| | - Cortex-A76 |
+| | - Cortex-A76AE |
+| | - Cortex-A77 |
+| | - Cortex-X1 |
+| | - Cortex-X1C |
+| | - Cortex-A78 |
+| | - Cortex-A78C |
+| | - Cortex-A78AE |
+| | - Cortex-A710 |
+| | - Cortex-X2 |
+| | - Cortex-X3 |
+| | - Cortex-X4 |
+| | - Cortex-X925 |
+| | - Neoverse-N1 |
+| | - Neoverse-N2 |
+| | - Neoverse-V1 |
+| | - Neoverse-V2 |
+| | - Neoverse-V3 |
+| | - Neoverse-V3AE |
+| | - C1-Ultra |
+| | - C1-Premium |
++----------------+-------------------------------------------------------------+
+| Impact | Exploitation may allow an attacker to corrupt page table |
+| | entries or other memory-management data structures during |
+| | translation invalidation operations. |
++----------------+-------------------------------------------------------------+
+| Fix Version | `Commit 08fab0f083db` (merged on 16 June 2026) |
+| | |
+| | `Gerrit topic #gr/CVE-2025-10263`_ |
++----------------+-------------------------------------------------------------+
+| Credit | Arm |
++----------------+-------------------------------------------------------------+
+
+Description
+-----------
+
+A race condition exists in affected Arm CPUs whereby a memory store performed by
+one Processing Element (PE) may remain incomplete after another PE has
+invalidated the corresponding translation and completed the architecturally
+required TLBI and DSB sequence. Under specific microarchitectural conditions,
+the assumption that all memory accesses made using the invalidated translation
+table entry have completed might not hold true.
+
+This behavior can result in memory corruption affecting translation tables and
+other protected memory structures. Successful exploitation may lead to denial
+of service or privilege escalation within the affected translation regime.
+
+Practical exploitation has been demonstrated to the extent of page table
+corruption. Feasible privilege escalation is considered possible, although full
+exploitation has not yet been publicly demonstrated.
+
+Conditions
+----------
+
+1. PE A executes a store that crosses a page boundary.
+2. PE B executes a TLB invalidate instruction which affects at least one of
+ pages targeted by PE A's store, followed by a DSB.
+3. Complex micro-architectural conditions occur.
+4. PE B's DSB may complete before the global observation of a portion of PE A's
+ store which was affected by the TLB invalidation. The relevant TLB entries
+ are invalidated correctly before the completion of the DSB.
+
+Workaround
+----------
+
+This can be avoided by executing the TLBI and DSB instructions a 2nd time. For
+code sequences that have multiple TLB invalidate instuctions followed by a
+single DSB, only the last TLB invalidate and DSB need to be repeated.
+
+Impact on TF-A
+--------------
+
+TF-a uses an affected instruction sequence only in the Xlat library, so the
+workaround is inserted at the end of that function. Unlike most CVEs, this
+workaround is disabled by default due to it being needed when a platform
+contains any single CPU that is affected. So it must be explicitly enabled
+using the flag WORKAROUND_CVE_2025_10263 by the platform when an affected
+CPU is present.
+
+For further information, affected CPUs, and detailed guidance, refer to the full
+`Official Arm Advisory`_.
+
+.. _CVE-2025-10263: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10263
+.. _Gerrit topic #gr/CVE-2025-10263: https://review.trustedfirmware.org/q/topic:gr/CVE-2025-10263
+.. _Official Arm Advisory: https://developer.arm.com/documentation/112137