Cyber Resilience

CVE-2024-7883

LowPublic PoC

Published: 31 October 2024

Published
31 October 2024
Modified
23 December 2025
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0037 59.1th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7883 is a low-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability in Arm Arm Compiler For Embedded Fusa. Its CVSS base score is 3.7 (Low).

Operationally, ranked in the top 40.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

When using Arm Cortex-M Security Extensions (CMSE), Secure stack contents can be leaked to Non-secure state via floating-point registers when a Secure to Non-secure function call is made that returns a floating-point value and when this is the first use…

more

of floating-point since entering Secure state. This allows an attacker to read a limited quantity of Secure stack contents with an impact on confidentiality. This issue is specific to code generated using LLVM-based compilers.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

arm
arm compiler for embedded
6.6 — 6.23
arm
arm compiler for embedded fusa
6.16, 6.21
arm
arm compiler for functional safety
6.6
arm
clang
11.0.0 — 20.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-226

The eradication and cross-system identification steps ensure sensitive information is removed before resources are reused or further accessed.

addresses: CWE-226

Requiring sanitization of media prior to removal for off-site maintenance ensures sensitive information is removed before the resource is reused or accessed externally.

addresses: CWE-226

Procedures include sanitization, overwriting, and disposal requirements to remove sensitive data before media reuse or release.

addresses: CWE-226

Requiring sanitization prior to reuse directly ensures sensitive information is removed from resources before they are reused by others.

addresses: CWE-226

Downgrading enables reuse of media at lower security levels, and the mandated process ensures sensitive information is removed beforehand to prevent exposure on reused resources.

addresses: CWE-226

Directly requires removal of sensitive data from resources before reuse or reallocation to another subject, eliminating residual information transfer.

addresses: CWE-226

Explicit retention limits and destruction rules reduce the persistence of sensitive information in reusable resources.

addresses: CWE-226

Periodic quality checks and deletion ensure sensitive PII is removed from resources prior to reuse or retention beyond its valid lifetime.

References