Hello,

 

This email is a notification of a new security vulnerability reported to TF-M by Infineon Technologies AG, in collaboration with: Tobias Scharnowski, Simon Wörner and Johannes Willbold from fuzzware.io.

 

Unchecked user-supplied pointer via mailbox messages may cause write of arbitrary address.

 

Please find the security advisory attached. The fix has been merged on the latest main branch tfm_spe_mailbox: Do not write-back on input vectors checks failure

 

We’re preparing a hotfix release v2.1.1 to include fixes for this vulnerability and bugs reported till that date via TF-M issue tracker: https://github.com/TrustedFirmware-M/trusted-firmware-m/issues?q=is%3Aissue

 

Thanks and best regards

Author