Cyber Resilience

CVE-2023-40271

HighPublic PoCUpdated

Published: 08 September 2023

Published
08 September 2023
Modified
05 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0019 40.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-40271 is a high-severity Incorrect Comparison (CWE-697) vulnerability in Trustedfirmware Trusted Firmware-M. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

In Trusted Firmware-M through TF-Mv1.8.0, for platforms that integrate the CryptoCell accelerator, when the CryptoCell PSA Driver software Interface is selected, and the Authenticated Encryption with Associated Data Chacha20-Poly1305 algorithm is used, with the single-part verification function (defined during the…

more

build-time configuration phase) implemented with a dedicated function (i.e., not relying on usage of multipart functions), the buffer comparison during the verification of the authentication tag does not happen on the full 16 bytes but just on the first 4 bytes, thus leading to the possibility that unauthenticated payloads might be identified as authentic. This affects TF-Mv1.6.0, TF-Mv1.6.1, TF-Mv1.7.0, and TF-Mv1.8.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trustedfirmware
trusted firmware-m
1.6.0, 1.6.1, 1.7.0, 1.8.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References