CVE-2024-11864

CVE-2024-11864 affects the System Control Processor (SCP) in devices running SCP-Firmware release versions up to and including 2.15.0. The vulnerability arises from specifically crafted SCMI (System Control Processor Management Interface) messages that trigger a Usage Fault, causing the SCP to crash. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-755 (Improper Handling of Exceptional Conditions).

Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no authentication privileges, user interaction, or special conditions. Any unauthenticated remote actor capable of sending SCMI messages to the affected SCP can induce a denial-of-service condition by crashing the processor, disrupting availability without impacting confidentiality or integrity.

Mitigation details and patches are documented in the Arm Security Center advisory for SCP-Firmware vulnerabilities CVE-2024-11863 and CVE-2024-11864, available at https://developer.arm.com/Arm%20Security%20Center/SCP-Firmware%20Vulnerability%20CVE-2024-11863-11864. Security practitioners should consult this reference for upgrade guidance to resolved versions beyond 2.15.0.