Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-34Non-modifiable Executable Programs

For {{ insert: param, sc-34_odp.01 }} , load and execute: The operating environment from hardware-enforced, read-only media; and The following applications from hardware-enforced, read-only media: {{ insert: param, sc-34_odp.02 }}.

Last updated: 04 July 2026 00:28 UTC

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (15)

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-94Improper Control of Generation of Code ('Code Injection')6,984Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
CWE-284Improper Access Control5,367Hardware-enforced read-only media directly implements strong access control preventing any modification of executables.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Overrides or renders irrelevant incorrect permission assignments on critical executable resources by using hardware-level immutability.
CWE-506Embedded Malicious Code85Prevents embedding or persistence of malicious code in the OS or specified applications since the media cannot be written.
CWE-96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')23Eliminates the possibility of static code injection into saved executables by making the storage non-modifiable.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2016-20024 UPD7.09.80.0073good
CVE-2025-416605.58.80.0043good
CVE-2026-240635.58.20.0013good
CVE-2025-08345.57.80.0015good
CVE-2026-21235.57.80.0010good
CVE-2020-369385.58.80.0020good
CVE-2020-369165.58.80.0022good
CVE-2016-200335.57.80.0021good
CVE-2019-253445.57.80.0016good
CVE-2021-477615.57.80.0009good
CVE-2022-509315.57.80.0019good
CVE-2019-253435.57.80.0011good
CVE-2020-371297.09.80.0034good
CVE-2024-455555.58.40.0014good
CVE-2026-329795.57.30.0013good
CVE-2025-155615.57.80.0010good
CVE-2026-320093.55.70.0013good
CVE-2026-302837.09.80.0053good
CVE-2022-303157.09.80.0076partial
CVE-2024-424445.57.50.0012good
CVE-2016-20025 UPD5.58.80.0044good
CVE-2025-103145.58.80.0015good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9