NIST 800-53 r5 · Controls catalogue · Family SC
SC-34Non-modifiable Executable Programs
For {{ insert: param, sc-34_odp.01 }} , load and execute: The operating environment from hardware-enforced, read-only media; and The following applications from hardware-enforced, read-only media: {{ insert: param, sc-34_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (15)
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1218.015 Electron Applications Stealth
- T1542 Pre-OS Boot Stealth, Persistence
- T1542.001 System Firmware Stealth, Persistence
- T1542.003 Bootkit Stealth, Persistence
- T1542.004 ROMMONkit Stealth, Persistence
- T1542.005 TFTP Boot Stealth, Persistence
- T1548 Abuse Elevation Control Mechanism Privilege Escalation
- T1548.004 Elevated Execution with Prompt Privilege Escalation
- T1553 Subvert Trust Controls Defense Impairment
- T1553.006 Code Signing Policy Modification Defense Impairment
- T1601 Modify System Image Defense Impairment
- T1601.001 Patch System Image Defense Impairment
- T1601.002 Downgrade System Image Defense Impairment
- T1611 Escape to Host Privilege Escalation
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-94 | Improper Control of Generation of Code ('Code Injection') | 6,628 | Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media. |
CWE-284 | Improper Access Control | 4,832 | Hardware-enforced read-only media directly implements strong access control preventing any modification of executables. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Overrides or renders irrelevant incorrect permission assignments on critical executable resources by using hardware-level immutability. |
CWE-506 | Embedded Malicious Code | 80 | Prevents embedding or persistence of malicious code in the OS or specified applications since the media cannot be written. |
CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | 23 | Eliminates the possibility of static code injection into saved executables by making the storage non-modifiable. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2016-20024 | 2.0 | 9.8 | 0.0003 | good |
CVE-2025-41660 | 1.8 | 8.8 | 0.0027 | good |
CVE-2020-36938 | 1.8 | 8.8 | 0.0003 | good |
CVE-2020-36916 | 1.8 | 8.8 | 0.0004 | good |
CVE-2026-24063 | 1.6 | 8.2 | 0.0001 | good |
CVE-2025-0834 | 1.6 | 7.8 | 0.0002 | good |
CVE-2026-2123 | 1.6 | 7.8 | 0.0001 | good |
CVE-2016-20033 | 1.6 | 7.8 | 0.0002 | good |
CVE-2019-25344 | 1.6 | 7.8 | 0.0002 | good |
CVE-2021-47761 | 1.6 | 7.8 | 0.0002 | good |
CVE-2022-50931 | 1.6 | 7.8 | 0.0002 | good |
CVE-2020-37129 | 2.0 | 9.8 | 0.0001 | good |
CVE-2024-45555 | 1.7 | 8.4 | 0.0002 | good |
CVE-2025-15561 | 1.6 | 7.8 | 0.0002 | good |
CVE-2026-32979 | 1.5 | 7.3 | 0.0005 | good |
CVE-2026-32009 | 1.1 | 5.7 | 0.0002 | good |
CVE-2026-30283 | 2.0 | 9.8 | 0.0011 | good |
CVE-2016-20025 | 1.8 | 8.8 | 0.0003 | good |
CVE-2025-10314 | 1.8 | 8.8 | 0.0001 | good |
CVE-2024-42444 | 1.5 | 7.5 | 0.0011 | good |