CVE-2025-50897

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

A

vulnerability exists in riscv-boom SonicBOOM 1.2 (BOOMv1.2) processor implementation, where valid virtual-to-physical address translations configured with write permissions (PTE_W) in SV39 mode may incorrectly trigger a Store/AMO access fault during store instructions (sd). This occurs despite the presence of proper page table entries and valid memory access modes. The fault is reproducible when transitioning into virtual memory and attempting store operations in mapped kernel memory, indicating a potential flaw in the MMU, PMP, or memory access enforcement logic. This may cause unexpected kernel panics or denial of service in systems using BOOMv1.2.

References

Link	Resource
https://github.com/LuLuji04/POC-Boomv1.2	Exploit Third Party Advisory
https://github.com/riscv-boom/riscv-boom	Product
https://github.com/riscv-software-src/riscv-isa-sim	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:boom-core:boomv:1.2:*:*:*:*:*:*:*

History

17 Oct 2025, 16:55

Type	Values Removed	Values Added
First Time		Boom-core boomv Boom-core
CPE		cpe:2.3:a:boom-core:boomv:1.2:::::::*
References	~~() https://github.com/LuLuji04/POC-Boomv1.2 -~~	() https://github.com/LuLuji04/POC-Boomv1.2 - Exploit, Third Party Advisory
References	~~() https://github.com/riscv-boom/riscv-boom -~~	() https://github.com/riscv-boom/riscv-boom - Product
References	~~() https://github.com/riscv-software-src/riscv-isa-sim -~~	() https://github.com/riscv-software-src/riscv-isa-sim - Product

20 Aug 2025, 14:40

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 15:15

Updated : 2025-10-17 16:55

NVD link : CVE-2025-50897

Mitre link : CVE-2025-50897

CVE.ORG link : CVE-2025-50897

JSON object : View

Products Affected

boomv

CWE

CWE-284

Improper Access Control

CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-693

Protection Mechanism Failure

{"id": "CVE-2025-50897", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.7}]}, "published": "2025-08-19T15:15:28.310", "references": [{"url": "https://github.com/LuLuji04/POC-Boomv1.2", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/riscv-boom/riscv-boom", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/riscv-software-src/riscv-isa-sim", "tags": ["Product"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-693"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability exists in riscv-boom SonicBOOM 1.2 (BOOMv1.2) processor implementation, where valid virtual-to-physical address translations configured with write permissions (PTE_W) in SV39 mode may incorrectly trigger a Store/AMO access fault during store instructions (sd). This occurs despite the presence of proper page table entries and valid memory access modes. The fault is reproducible when transitioning into virtual memory and attempting store operations in mapped kernel memory, indicating a potential flaw in the MMU, PMP, or memory access enforcement logic. This may cause unexpected kernel panics or denial of service in systems using BOOMv1.2."}, {"lang": "es", "value": "Existe una vulnerabilidad en la implementaci\u00f3n del procesador riscv-boom SonicBOOM 1.2 (BOOMv1.2). Las traducciones de direcciones virtuales a f\u00edsicas v\u00e1lidas configuradas con permisos de escritura (PTE_W) en modo SV39 pueden generar incorrectamente un fallo de acceso a la memoria/AMO durante las instrucciones de almacenamiento (sd). Esto ocurre a pesar de la presencia de entradas correctas en la tabla de p\u00e1ginas y modos de acceso a memoria v\u00e1lidos. El fallo se reproduce al realizar la transici\u00f3n a memoria virtual e intentar realizar operaciones de almacenamiento en la memoria del kernel mapeada, lo que indica una posible falla en la MMU, PMP o la l\u00f3gica de aplicaci\u00f3n de acceso a memoria. Esto puede causar p\u00e1nicos de kernel inesperados o denegaci\u00f3n de servicio en sistemas que utilizan BOOMv1.2."}], "lastModified": "2025-10-17T16:55:16.997", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:boom-core:boomv:1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDBB5A25-29F5-4484-9429-5432A1E3F1D3"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}