Skip to main content

OpenAMP CVE-2026-37540

| EUVDEUVD-2026-26693 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-01 mitre
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 17:32 vuln.today
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26693
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 8.4

DescriptionCVE.org

OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap around to a small value.

AnalysisAI

Integer overflow in OpenAMP v2025.10.0 ELF loader enables local attackers to corrupt memory during firmware image parsing on 32-bit embedded systems (STM32MP1, Zynq, i.MX). The vulnerability triggers when elf_loader.c multiplies two attacker-controlled 16-bit values from ELF headers without bounds checking, causing integer wraparound that bypasses allocation size limits. EPSS data not available; no CISA KEV listing confirms exploitation remains theoretical. GitHub references suggest proof-of-concept analysis exists (sgInnora gist), indicating technical feasibility for local privilege escalation or code execution in embedded/IoT firmware update scenarios.

Technical ContextAI

OpenAMP is an open-source framework implementing Asymmetric Multiprocessing (AMP) for heterogeneous system architectures, enabling communication between processing cores running different operating systems. The ELF loader component (elf_loader.c) parses Executable and Linkable Format firmware images for remote processor initialization. The vulnerability stems from unchecked integer arithmetic on ELF header fields (likely e_phentsize × e_phnum or similar section size calculations). On 32-bit architectures common in embedded systems (ARM Cortex-A in STM32MP1/i.MX, ARM in Xilinx Zynq), multiplying crafted 16-bit values can produce results exceeding 32-bit limits. The overflow wraps to small values, causing undersized buffer allocations followed by heap/stack corruption when actual ELF data is copied. CPE data is incomplete (cpe:2.3:a:n/a:n/a), but description explicitly identifies 32-bit embedded platforms as affected scope. This represents a classic integer overflow leading to buffer overflow (CWE-190 → CWE-120), though CWE assignment is missing from NVD data.

RemediationAI

Upgrade to a patched OpenAMP version as soon as released by the OpenAMP project maintainers; monitor the GitHub repository (github.com/OpenAMP/open-amp) for security advisories and commits addressing integer overflow in elf_loader.c. The gist reference (gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381) may contain technical details useful for vendor patch verification. Until patches are available, implement these compensating controls with noted limitations: (1) Enforce cryptographic signature verification on all firmware images before ELF parsing - this prevents processing of attacker-crafted files but requires existing PKI infrastructure and breaks unsigned development workflows. (2) Restrict file system permissions on firmware staging directories to privileged boot processes only (chmod 700, root-only access) - reduces local attack surface but does not prevent exploitation by compromised root processes. (3) Deploy runtime bounds checking via compiler instrumentation (GCC -fsanitize=integer, -D_FORTIFY_SOURCE=2) in custom OpenAMP builds - adds performance overhead (5-15%) unacceptable in latency-sensitive real-time processing. (4) Isolate firmware loading into separate sandboxed process with minimal privileges - requires architecture changes and may break AMP resource sharing.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-37540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy