Christian Lindenmeier

**Name of the Vulnerable Software and Affected Versions** SCP-Firmware versions up to and including 2.15.0 **Description** Specifically crafted SCMI messages sent to an SCP may lead to a Usage Fault and crash the SCP. **Recommendations** For versions up to and including 2.15.0, update to a version later than 2.15.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SCP-Firmware versions up to and including 2.15.0 **Description** Specifically crafted SCMI messages sent to an SCP may lead to a Usage Fault and crash the SCP. **Recommendations** For SCP-Firmware versions up to and including 2.15.0, consider restricting or disabling the handling of SCMI messages until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SCP-Firmware versions 2.11.0 through 2.15.0 **Description** The issue arises from the `transport message handler` function not properly handling errors, which could allow an Application Processor (AP) to cause a buffer overflow in System Control Processor (SCP) firmware. **Recommendations** For SCP-Firmware versions 2.11.0 through 2.15.0, consider disabling the `transport message handler` function until a patch is available to prevent potential buffer overflow exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intel(R) FPGA products versions prior to 2.9.1 **Description** The issue is related to improper input validation in the firmware of some Intel(R) FPGA products, which may allow denial of service. **Recommendations** For versions prior to 2.9.1, update to version 2.9.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Intel(R) FPGA products versions prior to 2.9.0 **Description** The issue is related to an out of bounds write in the firmware of some Intel(R) FPGA products. This may allow escalation of privilege and information disclosure. **Recommendations** For versions prior to 2.9.0, update to version 2.9.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Trusted Firmware-A (TF-A) versions prior to 2.10 **Description** The issue is related to a potential read out-of-bounds in the SDEI service. The input parameter passed in register `x1` is not validated well enough in the function `sdei interrupt bind()`. This parameter is then passed to a call to `plat ic get interrupt type()`, and it can be any arbitrary value that passes checks in the function `plat ic is sgi()`. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls, allowing control over the content of registers `x0` through `x6`, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3), but because the read value is never returned to non-secure memory or in registers, no leak is possible. However, an attacker can still crash TF-A. **Recommendations** For versions prior to 2.10, update to version 2.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the SDEI service to minimize the risk of exploitation. Additionally, limiting the ability of a compromised Normal World to issue arbitrary SMC calls can help mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Intel(R) FPGA products versions prior to 2.8.1 **Description** The issue is related to an out-of-bounds write in the firmware of some Intel(R) FPGA products. This may allow a privileged user to potentially enable information disclosure via local access. **Recommendations** For versions prior to 2.8.1, update to version 2.8.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Intel(R) FPGA products versions prior to 2.7.0 Hotfix **Description** The issue is related to improper input validation in the firmware of some Intel(R) FPGA products. This may allow an authenticated user to potentially enable escalation of privilege via local access. **Recommendations** For versions prior to 2.7.0 Hotfix, update to version 2.7.0 Hotfix or later to resolve the issue. As a temporary workaround, consider restricting local access to minimize the risk of exploitation.