Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap around to a small value.
AnalysisAI
Integer overflow in OpenAMP v2025.10.0 ELF loader enables local attackers to corrupt memory during firmware image parsing on 32-bit embedded systems (STM32MP1, Zynq, i.MX). The vulnerability triggers when elf_loader.c multiplies two attacker-controlled 16-bit values from ELF headers without bounds checking, causing integer wraparound that bypasses allocation size limits. EPSS data not available; no CISA KEV listing confirms exploitation remains theoretical. GitHub references suggest proof-of-concept analysis exists (sgInnora gist), indicating technical feasibility for local privilege escalation or code execution in embedded/IoT firmware update scenarios.
Technical ContextAI
OpenAMP is an open-source framework implementing Asymmetric Multiprocessing (AMP) for heterogeneous system architectures, enabling communication between processing cores running different operating systems. The ELF loader component (elf_loader.c) parses Executable and Linkable Format firmware images for remote processor initialization. The vulnerability stems from unchecked integer arithmetic on ELF header fields (likely e_phentsize × e_phnum or similar section size calculations). On 32-bit architectures common in embedded systems (ARM Cortex-A in STM32MP1/i.MX, ARM in Xilinx Zynq), multiplying crafted 16-bit values can produce results exceeding 32-bit limits. The overflow wraps to small values, causing undersized buffer allocations followed by heap/stack corruption when actual ELF data is copied. CPE data is incomplete (cpe:2.3:a:n/a:n/a), but description explicitly identifies 32-bit embedded platforms as affected scope. This represents a classic integer overflow leading to buffer overflow (CWE-190 → CWE-120), though CWE assignment is missing from NVD data.
RemediationAI
Upgrade to a patched OpenAMP version as soon as released by the OpenAMP project maintainers; monitor the GitHub repository (github.com/OpenAMP/open-amp) for security advisories and commits addressing integer overflow in elf_loader.c. The gist reference (gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381) may contain technical details useful for vendor patch verification. Until patches are available, implement these compensating controls with noted limitations: (1) Enforce cryptographic signature verification on all firmware images before ELF parsing - this prevents processing of attacker-crafted files but requires existing PKI infrastructure and breaks unsigned development workflows. (2) Restrict file system permissions on firmware staging directories to privileged boot processes only (chmod 700, root-only access) - reduces local attack surface but does not prevent exploitation by compromised root processes. (3) Deploy runtime bounds checking via compiler instrumentation (GCC -fsanitize=integer, -D_FORTIFY_SOURCE=2) in custom OpenAMP builds - adds performance overhead (5-15%) unacceptable in latency-sensitive real-time processing. (4) Isolate firmware loading into separate sandboxed process with minimal privileges - requires architecture changes and may break AMP resource sharing.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26693