Cyber Resilience

CVE-2024-45746

Critical

Published: 09 October 2024

Published
09 October 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0890 92.8th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45746 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Readthedocs (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-45746 affects Trusted Firmware-M versions through 2.1.0. The vulnerability stems from a lack of validation on user-supplied mailbox message pointers that reference input and output argument vectors. Each vector entry holds an unchecked buffer pointer and length; after a PSA call completes, mailbox_direct_reply unconditionally updates the output length field, enabling an arbitrary write into secure firmware memory and control-flow hijacking.

An unauthenticated remote attacker can supply crafted mailbox messages to trigger the flaw. Successful exploitation grants the ability to overwrite arbitrary locations in the secure world, resulting in remote code execution with full control over the trusted firmware.

The project advisory at trustedfirmware-m.readthedocs.io details the issue and links to the Trusted Firmware-M repository for remediation steps. The associated EPSS score has remained flat at 0.0890 with no material increase since disclosure.

EU & UK References

Vulnerability details

An issue was discovered in Trusted Firmware-M through 2.1.0. User provided (and controlled) mailbox messages contain a pointer to a list of input arguments (in_vec) and output arguments (out_vec). These list pointers are never validated. Each argument list contains a…

more

buffer pointer and a buffer length field. After a PSA call, the length of the output arguments behind the unchecked pointer is updated in mailbox_direct_reply, regardless of the call result. This allows an attacker to write anywhere in the secure firmware, which can be used to take over the control flow, leading to remote code execution (RCE).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Readthedocs
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References