CWE-1256
AllowedImproper Restriction of Software Interfaces to Hardware Features
Abstraction: Base · Status: Stable
The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.
9 vulnerabilities reference this CWE, most recent first.
CVE-2024-48869 (GCVE-0-2024-48869)
Vulnerability from cvelistv5 – Published: 2025-05-13 21:03 – Updated: 2026-02-26 18:28- Escalation of Privilege
- CWE-1256 - Improper Restriction of Software Interfaces to Hardware Features
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Intel(R) Xeon(R) 6 processor with E-cores when using Intel(R) Trust Domain Extensions (Intel(R) TDX) or Intel(R) Software Guard Extensions (Intel(R) SGX) |
Affected:
See references
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48869",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T04:01:19.722556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:28:10.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Intel(R) Xeon(R) 6 processor with E-cores when using Intel(R) Trust Domain Extensions (Intel(R) TDX) or Intel(R) Software Guard Extensions (Intel(R) SGX)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "See references"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper restriction of software interfaces to hardware features for some Intel(R) Xeon(R) 6 processor with E-cores when using Intel(R) Trust Domain Extensions (Intel(R) TDX) or Intel(R) Software Guard Extensions (Intel(R) SGX) may allow a privileged user to potentially enable escalation of privilege via local access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
},
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Escalation of Privilege",
"lang": "en"
},
{
"cweId": "CWE-1256",
"description": "Improper Restriction of Software Interfaces to Hardware Features",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T21:03:22.922Z",
"orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"shortName": "intel"
},
"references": [
{
"name": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01268.html",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01268.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce",
"assignerShortName": "intel",
"cveId": "CVE-2024-48869",
"datePublished": "2025-05-13T21:03:22.922Z",
"dateReserved": "2024-10-09T02:59:22.185Z",
"dateUpdated": "2026-02-26T18:28:10.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5477 (GCVE-0-2024-5477)
Vulnerability from cvelistv5 – Published: 2025-08-13 17:47 – Updated: 2025-08-13 19:41- CWE-1256 - - Improper Restriction of Software and Firmware Updates
| Vendor | Product | Version | |
|---|---|---|---|
| HP Inc. | Certain HP PC Products |
Affected:
See HP Security Bulletin reference for affected versions.
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-13T19:40:54.757656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T19:41:17.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Certain HP PC Products",
"vendor": "HP Inc.",
"versions": [
{
"status": "affected",
"version": "See HP Security Bulletin reference for affected versions."
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A potential security vulnerability has been identified in the System BIOS for some HP PC products which may allow escalation of privilege, arbitrary code execution, denial of service, or information disclosure via a physical attack that requires specialized equipment and knowledge. HP is releasing firmware mitigation for the potential vulnerability.\u003cbr\u003e"
}
],
"value": "A potential security vulnerability has been identified in the System BIOS for some HP PC products which may allow escalation of privilege, arbitrary code execution, denial of service, or information disclosure via a physical attack that requires specialized equipment and knowledge. HP is releasing firmware mitigation for the potential vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "PHYSICAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1256",
"description": "CWE-1256 - Improper Restriction of Software and Firmware Updates",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T17:47:36.452Z",
"orgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2",
"shortName": "hp"
},
"references": [
{
"url": "https://support.hp.com/us-en/document/ish_12878449-12878471-16/hpsbhf04043"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2",
"assignerShortName": "hp",
"cveId": "CVE-2024-5477",
"datePublished": "2025-08-13T17:47:09.166Z",
"dateReserved": "2024-05-29T15:20:41.911Z",
"dateUpdated": "2025-08-13T19:41:17.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2881 (GCVE-0-2024-2881)
Vulnerability from cvelistv5 – Published: 2024-08-29 23:10 – Updated: 2024-08-30 14:18{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wolfssl:wolfcrypt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wolfcrypt",
"vendor": "wolfssl",
"versions": [
{
"lessThanOrEqual": "5.6.6",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T14:18:26.882306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T14:18:36.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/wolfSSL/wolfssl",
"defaultStatus": "affected",
"modules": [
"EdDSA signature system"
],
"packageName": "wolfssl",
"platforms": [
"Linux",
"Windows",
"64 bit",
"32 bit"
],
"product": "wolfCrypt",
"programFiles": [
"https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/ed25519.c"
],
"programRoutines": [
{
"name": "Ed25519 signature"
}
],
"repo": "https://github.com/wolfSSL/wolfssl",
"vendor": "WolfSSL",
"versions": [
{
"lessThanOrEqual": "5.6.6",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"datePublic": "2024-03-20T17:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fault Injection vulnerability in\u0026nbsp;wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker\u0026nbsp;co-resides in the same system with a victim process to\u0026nbsp;disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure."
}
],
"value": "Fault Injection vulnerability in\u00a0wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker\u00a0co-resides in the same system with a victim process to\u00a0disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure."
}
],
"impacts": [
{
"capecId": "CAPEC-440",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-440 Hardware Integrity Attack"
}
]
},
{
"capecId": "CAPEC-624",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-624 Fault Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1256",
"description": "CWE-1256: Improper Restriction of Software Interfaces to Hardware Features",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-252",
"description": "CWE-252 Unchecked Return Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T23:10:59.179Z",
"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
"shortName": "wolfSSL"
},
"references": [
{
"url": "https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Fault Injection of EdDSA signature in WolfCrypt",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
"assignerShortName": "wolfSSL",
"cveId": "CVE-2024-2881",
"datePublished": "2024-08-29T23:10:59.179Z",
"dateReserved": "2024-03-25T22:01:53.209Z",
"dateUpdated": "2024-08-30T14:18:36.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1545 (GCVE-0-2024-1545)
Vulnerability from cvelistv5 – Published: 2024-08-29 23:02 – Updated: 2026-01-27 21:58{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wolfssl:wolfcrypt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wolfcrypt",
"vendor": "wolfssl",
"versions": [
{
"lessThanOrEqual": "5.6.6",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1545",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T14:19:14.904586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T14:19:19.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/wolfSSL/wolfssl",
"defaultStatus": "affected",
"modules": [
"RSA encryption system"
],
"packageName": "wolfssl",
"platforms": [
"Linux",
"Windows",
"64 bit",
"32 bit"
],
"product": "wolfCrypt",
"programFiles": [
"https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/rsa.c"
],
"programRoutines": [
{
"name": "RsaPrivateDecrypt"
}
],
"repo": "https://github.com/wolfSSL/wolfssl",
"vendor": "WolfSSL",
"versions": [
{
"lessThanOrEqual": "5.6.6",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"datePublic": "2024-03-20T17:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker\u0026nbsp;co-resides in the same system with a victim process to\u0026nbsp;disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure."
}
],
"value": "Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker\u00a0co-resides in the same system with a victim process to\u00a0disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure."
}
],
"impacts": [
{
"capecId": "CAPEC-440",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-440 Hardware Integrity Attack"
}
]
},
{
"capecId": "CAPEC-624",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-624 Fault Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1256",
"description": "CWE-1256: Improper Restriction of Software Interfaces to Hardware Features",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-252",
"description": "CWE-252 Unchecked Return Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T21:58:13.959Z",
"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
"shortName": "wolfSSL"
},
"references": [
{
"url": "https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable"
},
{
"url": "https://github.com/wolfSSL/wolfssl/pull/7167"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Fault Injection of RSA encryption in WolfCrypt",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
"assignerShortName": "wolfSSL",
"cveId": "CVE-2024-1545",
"datePublished": "2024-08-29T23:02:48.312Z",
"dateReserved": "2024-02-15T17:39:41.746Z",
"dateUpdated": "2026-01-27T21:58:13.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GHSA-3HVR-6XXW-86VV
Vulnerability from github – Published: 2025-05-13 21:30 – Updated: 2025-05-13 21:30Improper restriction of software interfaces to hardware features for some Intel(R) Xeon(R) 6 processor with E-cores when using Intel(R) Trust Domain Extensions (Intel(R) TDX) or Intel(R) Software Guard Extensions (Intel(R) SGX) may allow a privileged user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2024-48869"
],
"database_specific": {
"cwe_ids": [
"CWE-1256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T21:16:02Z",
"severity": "MODERATE"
},
"details": "Improper restriction of software interfaces to hardware features for some Intel(R) Xeon(R) 6 processor with E-cores when using Intel(R) Trust Domain Extensions (Intel(R) TDX) or Intel(R) Software Guard Extensions (Intel(R) SGX) may allow a privileged user to potentially enable escalation of privilege via local access.",
"id": "GHSA-3hvr-6xxw-86vv",
"modified": "2025-05-13T21:30:55Z",
"published": "2025-05-13T21:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48869"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01268.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9CHR-M38J-W26G
Vulnerability from github – Published: 2024-08-30 00:31 – Updated: 2026-01-28 00:31Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure.
{
"affected": [],
"aliases": [
"CVE-2024-1545"
],
"database_specific": {
"cwe_ids": [
"CWE-1256",
"CWE-252",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-29T23:15:10Z",
"severity": "MODERATE"
},
"details": "Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker\u00a0co-resides in the same system with a victim process to\u00a0disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure.",
"id": "GHSA-9chr-m38j-w26g",
"modified": "2026-01-28T00:31:37Z",
"published": "2024-08-30T00:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1545"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/pull/7167"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HHPG-V63P-WP7W
Vulnerability from github – Published: 2024-07-18 22:06 – Updated: 2024-08-07 16:06Impact
The two gRPC ports 7070 and 7071, are not bound to localhost by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.
Patches
This issue in TorchServe has been fixed in #3083.
TorchServe release 0.11.0 includes the fix to address this vulnerability.
References
Thank Kroll Cyber Risk for for responsibly disclosing this issue.
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "torchserve"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "0.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-35199"
],
"database_specific": {
"cwe_ids": [
"CWE-1256",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-18T22:06:41Z",
"nvd_published_at": "2024-07-19T02:15:14Z",
"severity": "HIGH"
},
"details": "### Impact\nThe two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.\n\n### Patches\nThis issue in TorchServe has been fixed in [#3083](https://github.com/pytorch/serve/pull/3083).\n\nTorchServe release 0.11.0 includes the fix to address this vulnerability.\n\n### References\n* [#3083](https://github.com/pytorch/serve/pull/3083)\n* [TorchServe release v0.11.0](https://github.com/pytorch/serve/releases/tag/v0.11.0)\n\nThank Kroll Cyber Risk for for responsibly disclosing this issue.\n\nIf you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
"id": "GHSA-hhpg-v63p-wp7w",
"modified": "2024-08-07T16:06:00Z",
"published": "2024-07-18T22:06:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pytorch/serve/security/advisories/GHSA-hhpg-v63p-wp7w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35199"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/serve/pull/3083"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/serve/commit/aab99506a17193de217aacc1119d9381dbc6ed2b"
},
{
"type": "PACKAGE",
"url": "https://github.com/pytorch/serve"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/serve/releases/tag/v0.11.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "TorchServe gRPC Port Exposure"
}
GHSA-MMHV-HFP7-CG3C
Vulnerability from github – Published: 2025-08-13 18:31 – Updated: 2025-08-13 18:31A potential security vulnerability has been identified in the System BIOS for some HP PC products which may allow escalation of privilege, arbitrary code execution, denial of service, or information disclosure via a physical attack that requires specialized equipment and knowledge. HP is releasing firmware mitigation for the potential vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-5477"
],
"database_specific": {
"cwe_ids": [
"CWE-1256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T18:15:28Z",
"severity": "HIGH"
},
"details": "A potential security vulnerability has been identified in the System BIOS for some HP PC products which may allow escalation of privilege, arbitrary code execution, denial of service, or information disclosure via a physical attack that requires specialized equipment and knowledge. HP is releasing firmware mitigation for the potential vulnerability.",
"id": "GHSA-mmhv-hfp7-cg3c",
"modified": "2025-08-13T18:31:24Z",
"published": "2025-08-13T18:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5477"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_12878449-12878471-16/hpsbhf04043"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P7FR-35J6-P64G
Vulnerability from github – Published: 2024-08-30 00:31 – Updated: 2024-09-04 15:30Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure.
{
"affected": [],
"aliases": [
"CVE-2024-2881"
],
"database_specific": {
"cwe_ids": [
"CWE-1256",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-30T00:15:04Z",
"severity": "MODERATE"
},
"details": "Fault Injection vulnerability in\u00a0wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker\u00a0co-resides in the same system with a victim process to\u00a0disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure.",
"id": "GHSA-p7fr-35j6-p64g",
"modified": "2024-09-04T15:30:33Z",
"published": "2024-08-30T00:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2881"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure proper access control mechanisms protect software-controllable features altering physical operating conditions such as clock frequency and voltage.
CAPEC-624: Hardware Fault Injection
The adversary uses disruptive signals or events, or alters the physical environment a device operates in, to cause faulty behavior in electronic devices. This can include electromagnetic pulses, laser pulses, clock glitches, ambient temperature extremes, and more. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information.
CAPEC-625: Mobile Device Fault Injection
Fault injection attacks against mobile devices use disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) to cause faulty behavior. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information. Although this attack usually requires physical control of the mobile device, it is non-destructive, and the device can be used after the attack without any indication that secret keys were compromised.