Description
AT91bootstrap before 3.9.2 does not properly wipe encryption and authentication keys from memory before passing control to a less privileged software component. This can be exploited to disclose these keys and subsequently encrypt and sign the next boot stage (such as the bootloader).
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/linux4sam/at91bootstrap/commit/45419497309ffbf27c17ea7938499aca99168927
Exploit, Third Party Advisory x_refsource_misc
https://labs.f-secure.com/advisories/microchip-at91bootstrap/
Scores
CVSS v3
9.1
EPSS
0.0108
EPSS Percentile
60.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-212
Status
published
Products (1)
linux4sam/at91bootstrap
3.7.2 - 3.9.2
Published
Sep 14, 2020
Tracked Since
Feb 18, 2026