Arm Trusted Firmware A
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Arm Trusted Firmware A.
By the Year
In 2026 there have been 0 vulnerabilities in Arm Trusted Firmware A. Last year, in 2025 Trusted Firmware A had 1 security vulnerability published. Right now, Trusted Firmware A is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 0.00 |
| 2024 | 3 | 4.95 |
| 2023 | 1 | 7.40 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 5.30 |
It may take a day or so for new Trusted Firmware A vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Arm Trusted Firmware A Security Vulnerabilities
ARM TF-A Bypass of Processor Security State Allows Privilege Escalation
CVE-2025-48507
- November 23, 2025
The security state of the calling processor into Trusted Firmware (TF-A) is not used and could potentially allow non-secure processors access to secure memories, access to crypto operations, and the ability to turn on and off subsystems within the SOC.
Improper Validation of Specified Quantity in Input
ARM Trusted Firmware Page Table Protection misconfig Vulnerability
CVE-2024-45448
4.1 - Medium
- September 04, 2024
Page table protection configuration vulnerability in the trusted firmware module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
Improper Restriction of Security Token Assignment
ARM TFM Input Validation Flaw May Enable Privileged RD and DoS
CVE-2023-31339
5.8 - Medium
- August 13, 2024
Improper input validation in ARM® Trusted Firmware used in AMDs Zynq UltraScale+) MPSoC/RFSoC may allow a privileged attacker to perform out of bound reads, potentially resulting in data leakage and denial of service.
Out-of-bounds Read
TF-A OOB Read via SDEI in Trusted Firmware-A <=2.9
CVE-2023-49100
- February 21, 2024
Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however.
Trusted Firmware-A (<=2.8) X.509 Parser OOB Read
CVE-2022-47630
7.4 - High
- January 16, 2023
Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.
Out-of-bounds Read
ARM Trusted Firmware-A
CVE-2018-19440
5.3 - Medium
- January 30, 2019
ARM Trusted Firmware-A allows information disclosure.
Information Disclosure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Arm Trusted Firmware A or by Arm? Click the Watch button to subscribe.
