Memory overread secure enclave in Asylo 0.6.2
Description
An untrusted memory read vulnerability in Asylo versions up to 0.6.1 allows an untrusted attacker to pass a syscall number in MessageReader that is then used by sysno() and can bypass validation. This can allow the attacker to read memory from within the secure enclave. We recommend updating to Asylo 0.6.3 or past https://github.com/google/asylo/commit/90d7619e9dd99bcdb6cd28c7649d741d254d9a1a
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Asylo 0.6.1 and earlier have an untrusted memory read vulnerability in MessageReader allowing an attacker to bypass syscall number validation and read enclave memory.
Vulnerability
An untrusted memory read vulnerability exists in Google Asylo versions up to 0.6.1. The bug resides in the MessageReader class used during system call handling in enc_untrusted_syscall. Specifically, the sysno() method in MessageReader reads the syscall number from an untrusted response buffer without verifying it against the originally passed syscall number. This allows an attacker to manipulate the response to contain a different syscall number, bypassing validation. The affected code path is triggered when an untrusted attacker controls the response to a system call invocation. Versions up to and including 0.6.1 are vulnerable; the fix was introduced in commit 90d7619e9dd99bcdb6cd28c7649d741d254d9a1a and is included in Asylo 0.6.3.
Exploitation
An attacker must be in a position to control the response buffer sent back to the enclave after a system call. This typically requires the attacker to be the untrusted host process that communicates with the Asylo enclave. No special authentication is needed beyond the ability to send crafted responses. The attacker can craft a response where the syscall number in the MessageReader differs from the one originally requested. The code then uses this attacker-controlled syscall number via sysno() for further operations, potentially bypassing intended syscall validation checks.
Impact
Successful exploitation allows the attacker to read memory from within the secure enclave. The attacker gains information disclosure, potentially leaking sensitive data protected by the enclave. The privilege level achieved is that of the untrusted host process, but the impact is a breach of the confidentiality guarantees expected from the enclave.
Mitigation
The vulnerability is fixed in Asylo version 0.6.3 and in commit 90d7619e9dd99bcdb6cd28c7649d741d254d9a1a [1]. Users should update to Asylo 0.6.3 or later, or apply the commit if building from source. The repository has been archived and is read-only as of April 2026, so no further updates are expected. No workarounds have been disclosed; updating is the recommended course of action.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Google LLC/Asylov5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/google/asylo/commit/90d7619e9dd99bcdb6cd28c7649d741d254d9a1amitrex_refsource_MISC
News mentions
0No linked articles in our index yet.