CVE-2024-1633
CVE-2024-1633 is a low-severity vulnerability in Renesas Arm-trusted-firmware with a CVSS 3.x base score of 2.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-190.
Key facts
- Severity: Low (CVSS 3.x base score 2.0)
- EPSS exploit prediction: 0% (4th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-17372
- Weakness: CWE-190
- Affected product: Renesas Arm-trusted-firmware
- Published:
- Last modified:
Description
During the secure boot, bl2 (the second stage of the bootloader) loops over images defined in the table “bl2_mem_params_descs”. For each image, the bl2 reads the image length and destination from the image’s certificate. Because of the way of reading from the image, which base on 32-bit unsigned integer value, it can result to an integer overflow. An attacker can bypass memory range restriction and write data out of buffer bounds, which could result in bypass of secure boot. Affected git version from c2f286820471ed276c57e603762bd831873e5a17 until (not
Frequently asked questions
- What is CVE-2024-1633?
- During the secure boot, bl2 (the second stage of the bootloader) loops over images defined in the table “bl2_mem_params_descs”. For each image, the bl2 reads the image length and destination from the image’s certificate. Because of the way of reading from the image, which base on 32-bit unsigned integer value, it can result to an integer overflow. An attacker can bypass memory range restriction and write data out of buffer bounds, which could result in bypass of secure boot. Affected git version from c2f286820471ed276c57e603762bd831873e5a17 until (not
- How severe is CVE-2024-1633?
- CVE-2024-1633 has a CVSS 3.x base score of 2.0, rated low severity. It is exploitable over physical access with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2024-1633 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (4th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-1633?
- CVE-2024-1633 affects Renesas Arm-trusted-firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-1633?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-1633 have an EU (EUVD) identifier?
- Yes. CVE-2024-1633 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-17372.
- When was CVE-2024-1633 published?
- CVE-2024-1633 was published on 2024-02-19 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:o:renesas:arm-trusted-firmware:rcar_gen3_2.5:*:*:*:*:*:*:*
More vulnerabilities in Renesas Arm-trusted-firmware
- CVE-2024-6563 — High (CVSS 7.5): Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware…
- CVE-2024-6564 — Medium (CVSS 6.7): Buffer overflow in "rcar_dev_init" due to using due to using untrusted data (rcar_image_number) as a loop counter…
All CVEs affecting Renesas Arm-trusted-firmware →
Other CWE-190 (Integer Overflow or Wraparound) vulnerabilities
- CVE-2026-4689 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was…
- CVE-2026-24814 — Critical (CVSS 10.0): Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is…
- CVE-2025-64721 — Critical (CVSS 10.0): Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions…
- CVE-2015-5108 — Critical (CVSS 10.0): Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC…
- CVE-2015-5097 — Critical (CVSS 10.0): Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC…
- CVE-2013-2555 — Critical (CVSS 10.0): Integer overflow in Adobe Flash Player before 10.3.183.75 and 11.x before 11.7.700.169 on Windows and Mac OS X, before…
Browse all CWE-190 (Integer Overflow or Wraparound) vulnerabilities →