CVE-2024-29970

Critical

Published: 10 January 2025

Published

10 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0028 51.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29970 is a critical-severity an unspecified weakness vulnerability in Fortanix Enclave OS (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 48.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2024-29970 by identifying, prioritizing, and applying patches to remediate the interface vulnerability causing state corruption.

SI-10 Information Input Validation good match

prevent

Requires validation of all inputs to the enclave OS interface, including injected signals, to block malformed signals from corrupting enclave state.

SC-3 Security Function Isolation partial match

prevent

Isolates enclave security functions from non-security functions, limiting the propagation of state corruption from the vulnerable interface.

NVD Description

Fortanix Enclave OS 3.36.1941-EM has an interface vulnerability that leads to state corruption via injected signals.

Deeper analysisAI

Fortanix Enclave OS version 3.36.1941-EM is affected by CVE-2024-29970, an interface vulnerability that enables state corruption through injected signals. This flaw, published on 2025-01-10, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

The vulnerability allows remote attackers with network access to exploit it without authentication, privileges, or user interaction, due to its low attack complexity and unchanged scope. Successful exploitation leads to state corruption within the enclave, potentially enabling full compromise of the protected environment.

Mitigation details and advisories are referenced in Fortanix's Enclave OS support section at https://support.fortanix.com/hc/en-us/sections/360012461751-Enclave-OS, along with a proof-of-concept at https://github.com/ahoi-attacks/sigy/blob/main/pocs/enclaveos/cve.md. Security practitioners should consult these resources for patching instructions and updates.

Details

CWE(s): None listed

Affected Products

Fortanix

Enclave OS

inferred from references and description; NVD did not file a CPE for this CVE

References

https://github.com/ahoi-attacks/sigy/blob/main/pocs/enclaveos/cve.md
cve@mitre.org
https://support.fortanix.com/hc/en-us/sections/360012461751-Enclave-OS
cve@mitre.org