CVE-2024-1633

LOW
Published Feb 19, 2024 Modified Jan 24, 2025 CWE-190

Description

During the secure boot, bl2 (the second stage of the bootloader) loops over images defined in the table “bl2_mem_params_descs”. For each image, the bl2 reads the image length and destination from the image’s certificate. Because of the way of reading from the image, which base on 32-bit unsigned integer value, it can result to an integer overflow. An attacker can bypass memory range restriction and write data out of buffer bounds, which could result in bypass of secure boot. Affected git version from c2f286820471ed276c57e603762bd831873e5a17 until (not 

CVSS v3.1 Score

2.0
LOW
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Weakness Type (CWE)

CWE-190 Integer Overflow

Affected Products

Vendor Product
renesas arm-trusted-firmware
renesas r-car_d3e
renesas r-car_e3e
renesas r-car_h3e
renesas r-car_h3ne
renesas r-car_m3e
renesas r-car_m3ne
renesas r-car_v3h
renesas r-car_v3h2
renesas r-car_v3m

References

Frequently Asked Questions

What is CVE-2024-1633? +
During the secure boot, bl2 (the second stage of the bootloader) loops over images defined in the table “bl2_mem_params_descs”. For each image, the bl2 reads the image length and destination from the image’s certificate. Because of the way of reading from the image, which base on 32-bit unsigned integer value, it can result to an integer overflow. An attacker can bypass memory range restriction and write data out of buffer bounds, which could result in bypass of secure boot. Affected git version from c2f286820471ed276c57e603762bd831873e5a17 until (not  It has a CVSS v3.1 base score of 2.0 (LOW).
How severe is CVE-2024-1633? +
CVE-2024-1633 has a CVSS v3.1 score of 2.0 out of 10, rated LOW. This is a low-severity vulnerability with limited impact.
What products are affected by CVE-2024-1633? +
CVE-2024-1633 affects products from renesas, specifically: arm-trusted-firmware, r-car_d3e, r-car_e3e, r-car_h3e, r-car_h3ne, r-car_m3e, r-car_m3ne, r-car_v3h, r-car_v3h2, r-car_v3m. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2024-1633? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-1633 — free, no signup required.

Start Free Scan