CVE-2022-47630
Description
Trusted Firmware-A versions 1.2 to 2.8 contain an out-of-bounds read vulnerability in the X.509 parser, potentially leading to sensitive information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Trusted Firmware-A versions 1.2 to 2.8 contain an out-of-bounds read vulnerability in the X.509 parser, potentially leading to sensitive information disclosure.
Vulnerability
Trusted Firmware-A (TF-A) versions 1.2 through 2.8 are affected by an out-of-bounds read vulnerability within the X.509 parser used for boot certificates. This issue specifically impacts downstream implementations of BL1 and BL2 with Trusted Boot enabled, particularly when custom usages of the get_ext() and auth_nvctr() interfaces are employed, and is not present in upstream TF-A code [1, 2]. The vulnerability resides in drivers/auth/mbedtls/mbedtls_x509_parser.c [2].
Exploitation
An attacker needs to provide a crafted X.509 certificate to trigger the vulnerability. The vulnerability is triggered when parsing boot certificates, and the specific conditions require custom, downstream usages of the get_ext() or auth_nvctr() interfaces in BL1 or BL2 with Trusted Boot enabled [1, 2].
Impact
Successful exploitation of this vulnerability can lead to dangerous read side effects or the disclosure of sensitive information about the microarchitectural state. The exact impact depends on the context in which the vulnerable code path is triggered [1].
Mitigation
This vulnerability has been fixed in Trusted Firmware-A through commits such as fd37982a19a4a291, 72460f50e2437a85, f5c51855d36e399e, and abb8f936fd0ad085. The fix requires specific commits to be applied cleanly [2]. The first LTS release of TF-A was based on TF-A v2.8, released on December 14, 2022 [3]. No specific fixed version number is provided, but the patches address the issue.
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Trusted Firmware-A/Trusted Firmware-Adescription
- Range: <=2.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The X.509 parser in Trusted Firmware-A does not sufficiently validate certificate extensions, leading to an out-of-bounds read."
Attack vector
An attacker can craft a malicious X.509 certificate that exploits insufficient validation within the `get_ext()` function. This occurs because the function does not check the return values of underlying `mbedtls_*()` functions and incorrectly uses the end of an extension as the end pointer, while the certificate parser uses the end of the TBSCertificate. Furthermore, the parser fails to verify that the extension's content length matches the extension's declared length or that the extension block extends to the end of the TBSCertificate. This can lead to dangerous read side effects or disclosure of sensitive microarchitectural information [ref_id=1].
Affected code
The vulnerability resides in the `drivers/auth/mbedtls/mbedtls_x509_parser.c` file. The `get_ext()` function is implicated due to its failure to validate the return values of `mbedtls_*()` functions and its incorrect handling of extension boundaries. The `cert_parse()` function also contributes by not adequately checking extension content lengths and their alignment within the TBSCertificate [ref_id=1].
What the fix does
The patches introduce several checks to properly validate X.509 extensions. Specifically, they ensure that junk data after extensions is forbidden, that at least one extension must be present, and that extensions are validated more rigorously. The patch `abb8f936fd0ad085` directly addresses the out-of-bounds read in `auth_nvctr()` by improving validation logic. These changes prevent the parser from misinterpreting malformed extension data, thereby closing the vulnerability [ref_id=1].
Preconditions
- configTrusted Firmware-A versions v1.2 to v2.8 must be used.
- configThe system must be configured with BL1 and BL2 with Trusted Boot enabled.
- configCustom, downstream usages of the `get_ext()` and/or `auth_nvctr()` interfaces must be present, differing from upstream TF-A code.
- inputA crafted X.509 certificate must be provided.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.openwall.com/lists/oss-security/2023/01/16/8nvdMailing ListPatchThird Party Advisory
- trustedfirmware-a.readthedocs.io/en/latest/security_advisories/security-advisory-tfv-10.htmlnvdPatchVendor Advisory
- www.trustedfirmware.org/news/nvdVendor Advisory
News mentions
0No linked articles in our index yet.