Cyber Resilience

CVE-2025-67841

HighDDoS

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 18.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67841 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Nordicsemi (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67841 is an algorithmic complexity vulnerability (CWE-407) in Nordic Semiconductor's IronSide SE for nRF54H20, affecting versions before 23.0.2+17. Published on 2026-04-15T16:16:33.997, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for significant availability disruption without impacting confidentiality or integrity.

Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity. Exploitation triggers a denial-of-service condition, resulting in high availability impact such as device crashes, reboots, or resource exhaustion due to the algorithmic complexity flaw.

Nordic Semiconductor addresses the vulnerability in security advisory SA-2025-447-v1.1, available at https://docs.nordicsemi.com/bundle/SA/resource/SA-2025-447-v1.1.pdf, with mitigation via an update to IronSide SE version 23.0.2+17 or later. Further resources are on their site at https://nordicsemi.no.

EU & UK References

Vulnerability details

Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct remote exploitation of algorithmic complexity leads to application/system resource exhaustion and DoS, matching T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3988Shared CWE-407
CVE-2026-34573Shared CWE-407
CVE-2026-27903Shared CWE-407
CVE-2025-14550Shared CWE-407
CVE-2026-40164Shared CWE-407
CVE-2026-41292Shared CWE-407
CVE-2026-31934Shared CWE-407
CVE-2026-34230Shared CWE-407
CVE-2026-42304Shared CWE-407
CVE-2026-1285Shared CWE-407

Affected Assets

Nordicsemi
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws such as this algorithmic complexity vulnerability via firmware update to version 23.0.2+17.

prevent

Implements protections against denial-of-service attacks, including resource exhaustion and device crashes triggered by exploitation of this algorithmic complexity issue.

prevent

Validates network inputs to block malicious payloads that exploit the algorithmic complexity flaw leading to availability disruption.

References