6.1. Advisory HFV-1 (CVE-2025-10263)
Title |
Completion of affected memory accesses may not be guaranteed by the completion of a TLBI |
|---|---|
CVE ID |
|
Date |
Reported on 13 August 2025 |
Versions Affected |
All Hafnium versions up to and including v2.15 |
Configurations Affected |
All platforms containing any of the following affected CPU implementations (if even a single affected core is present, the the workaround must be enabled): - Cortex-A76 - Cortex-A76AE - Cortex-A77 - Cortex-A78 - Cortex-A78C - Cortex-A78AE - Cortex-A710 - Cortex-X1 - Cortex-X1C - Cortex-X2 - Cortex-X3 - Cortex-X4 - Cortex-X925 - Neoverse-N1 - Neoverse-N2 - Neoverse-V1 - Neoverse-V2 - Neoverse-V3 - Neoverse-V3AE - C1-Ultra - C1-Premium |
Impact |
Potential privilege escalation within the same security state |
Fix Version |
Gerrit Patches #cve_2025_10263 Also see mitigation guidance in the Official Arm Advisory |
Credit |
Arm |
6.1.1. Description
CVE-2025-10263 describes an implementation erratum affecting the ordering of TLBI and DSB instructions under multi-core concurrency. Under certain conditions, a TLBI followed by a DSB may complete before store operations from another processing element are globally observed.
This issue is specific to certain CPU implementations as described in the Official Arm Advisory. It is not an architectural vulnerability.
For full technical details of the erratum, refer to the Official Arm Advisory.
6.1.2. Impact on Hafnium
Hafnium executes TLBI operations when modifying translation tables or updating memory permissions. On affected CPU implementations, a TLBI followed by a DSB may not guarantee that concurrent store operations from another processing element have completed. This could allow memory accesses to be observed after permission changes, potentially resulting in privilege escalation within the same security state.
6.1.3. Mitigation in Hafnium
Hafnium mitigates this erratum by issuing the additional TLBI + DSB sequence required by the erratum after completion of TLBI maintenance affecting Stage-1 translation information.
The mitigation is controlled via the build-time flag:
WORKAROUND_CVE_2025_10263
This flag is disabled by default. Integrators must enable it when targeting platforms that include affected CPU implementations.