Caliptra Core Runtime Firmware CVE-2026-5818
HIGHSeverity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent management interface (AV:A), requires firmware-update privileges (PR:H) and specific update-flow timing (AC:H); RoT bypass affects downstream MCU (S:C) with no confidentiality loss.
Primary rating from Vendor (Caliptra).
CVSS VectorVendor: Caliptra
CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Incorrect check of function return value in Caliptra Core Runtime Firmware (ActivateFirmwareCmd::activate_fw modules) allows bypass of Caliptra Core's verification of the MCU FW during a hitless update.
This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.
AnalysisAI
Firmware verification bypass in Caliptra Core Runtime Firmware versions 2.0.0 through 2.0.1 and 2.1.0 allows an attacker with high privileges to load unverified MCU firmware during a hitless update. The flaw resides in the ActivateFirmwareCmd::activate_fw module, where an incorrect check of a function return value causes the Root-of-Trust to skip authentication of the Microcontroller Unit firmware image. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) adjacent-network access to the platform management/RoT mailbox interface rather than the public internet (AV:A), (2) high pre-existing privileges sufficient to invoke ActivateFirmwareCmd against the Caliptra RoT (PR:H), (3) the target system actively using the hitless firmware update path rather than cold-boot updates, and (4) a specific attack prerequisite condition (AT:P) tied to the timing/state of the activate_fw flow. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H plus subsequent-system SC:H/SI:H/SA:H) scores 7.2 (High) and reflects an adjacent-vector, high-privilege attack with no confidentiality impact but severe integrity/availability consequences that cascade into downstream systems trusting the RoT. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already obtained high-privilege access to the platform management interface (for example, a compromised BMC or malicious insider with firmware-update rights on an adjacent management network) submits a crafted, unsigned or maliciously modified MCU firmware image through the hitless update flow. Because activate_fw mishandles the verification return value, Caliptra accepts the image without validating its signature and activates it, giving the attacker persistent code execution on the MCU with the RoT continuing to attest the system as trusted. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed from the provided data - consult the Caliptra advisory at https://github.com/chipsalliance/caliptra-sw/security/advisories/GHSA-456r-gcjr-6rxq for the corrected firmware build and rebuild affected silicon firmware images from a fixed Core Runtime Firmware tag past 2.1.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify inventory of systems and hardware running Caliptra Core Runtime Firmware 2.0.0-2.0.1 or 2.1.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Core Runtime Firmware
View allSame weakness CWE-253 – Incorrect Check of Function Return Value
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today