Timeline
Reported
Dec 8, 2025
Acknowledged
Dec 8, 2025
Published
Feb 10, 2026
Summary
FSP versions prior to v6.3.0 contain a stack buffer overflow vulnerability in the GCM alt process (rm_psa_crypto/gcm_alt_process.c). The sce_gcm_crypt_and_tag function copies tag_len bytes from a caller-supplied tag into a fixed 16-byte local buffer padded_tag without validating the tag length. When tag_len > 16, this causes stack buffer overflow of the 16-byte padded_tag buffer, potential local memory corruption leading to arbitrary code execution or device crash, and stack corruption that may enable more severe exploits depending on context.