Skip to main content

Caliptra Core Runtime Firmware CVE-2026-5818

HIGH
Incorrect Check of Function Return Value (CWE-253)
2026-06-23 Caliptra
7.2
CVSS 4.0 · Vendor: Caliptra
Share

Severity by source

Vendor (Caliptra) PRIMARY
7.2 HIGH
CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Adjacent management interface (AV:A), requires firmware-update privileges (PR:H) and specific update-flow timing (AC:H); RoT bypass affects downstream MCU (S:C) with no confidentiality loss.

3.1 AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H
4.0 AV:A/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Caliptra).

CVSS VectorVendor: Caliptra

CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 00:26 vuln.today

DescriptionCVE.org

Incorrect check of function return value in Caliptra Core Runtime Firmware (ActivateFirmwareCmd::activate_fw modules) allows bypass of Caliptra Core's verification of the MCU FW during a hitless update.

This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0.

AnalysisAI

Firmware verification bypass in Caliptra Core Runtime Firmware versions 2.0.0 through 2.0.1 and 2.1.0 allows an attacker with high privileges to load unverified MCU firmware during a hitless update. The flaw resides in the ActivateFirmwareCmd::activate_fw module, where an incorrect check of a function return value causes the Root-of-Trust to skip authentication of the Microcontroller Unit firmware image. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain privileged access to platform management network
Delivery
Craft unsigned or modified MCU firmware image
Exploit
Invoke ActivateFirmwareCmd hitless update path
Execution
Trigger mishandled verification return in activate_fw
Persist
Caliptra activates unverified MCU firmware
Impact
Persist malicious code under valid RoT attestation

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) adjacent-network access to the platform management/RoT mailbox interface rather than the public internet (AV:A), (2) high pre-existing privileges sufficient to invoke ActivateFirmwareCmd against the Caliptra RoT (PR:H), (3) the target system actively using the hitless firmware update path rather than cold-boot updates, and (4) a specific attack prerequisite condition (AT:P) tied to the timing/state of the activate_fw flow. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H plus subsequent-system SC:H/SI:H/SA:H) scores 7.2 (High) and reflects an adjacent-vector, high-privilege attack with no confidentiality impact but severe integrity/availability consequences that cascade into downstream systems trusting the RoT. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already obtained high-privilege access to the platform management interface (for example, a compromised BMC or malicious insider with firmware-update rights on an adjacent management network) submits a crafted, unsigned or maliciously modified MCU firmware image through the hitless update flow. Because activate_fw mishandles the verification return value, Caliptra accepts the image without validating its signature and activates it, giving the attacker persistent code execution on the MCU with the RoT continuing to attest the system as trusted. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed from the provided data - consult the Caliptra advisory at https://github.com/chipsalliance/caliptra-sw/security/advisories/GHSA-456r-gcjr-6rxq for the corrected firmware build and rebuild affected silicon firmware images from a fixed Core Runtime Firmware tag past 2.1.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify inventory of systems and hardware running Caliptra Core Runtime Firmware 2.0.0-2.0.1 or 2.1.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy