CVE-2024-5660 Overview
CVE-2024-5660 is a critical hardware vulnerability affecting multiple ARM Cortex and Neoverse processor families. The vulnerability exists in the Hardware Page Aggregation (HPA) feature when combined with Stage-1 and/or Stage-2 translation mechanisms. This flaw may permit unauthorized bypass of Stage-2 translation and/or Granule Protection Table (GPT) protection, potentially undermining hypervisor-level isolation and confidential computing protections.
This vulnerability is particularly concerning for cloud infrastructure, virtualization environments, and systems relying on ARM's Realm Management Extension (RME) architecture for confidential computing workloads. The bypass of Stage-2 translation could allow a malicious guest VM to access memory regions belonging to other VMs or the hypervisor itself.
Critical Impact
Attackers may bypass Stage-2 memory translation and GPT protections, potentially compromising hypervisor isolation and confidential computing boundaries across affected ARM processors used in data centers and mobile devices.
Affected Products
- ARM Cortex-A77, Cortex-A78, Cortex-A78C, Cortex-A78AE, Cortex-A710
- ARM Cortex-X1, Cortex-X1C, Cortex-X2, Cortex-X3, Cortex-X4, Cortex-X925
- ARM Neoverse V1, Neoverse V2, Neoverse V3, Neoverse V3AE, Neoverse N2
- Associated firmware for all listed processor families
Discovery Timeline
- December 10, 2024 - CVE-2024-5660 published to NVD
- January 5, 2026 - Last updated in NVD database
Technical Details for CVE-2024-5660
Vulnerability Analysis
This vulnerability (CWE-668: Exposure of Resource to Wrong Sphere) occurs within the Hardware Page Aggregation (HPA) mechanism of affected ARM processors. HPA is a performance optimization feature that allows the memory management unit (MMU) to combine multiple adjacent page table entries into a single larger translation. However, when HPA interacts with Stage-2 translation—the mechanism hypervisors use to enforce memory isolation between virtual machines—a security boundary violation can occur.
In ARM's virtualization architecture, Stage-1 translation is controlled by the guest operating system, while Stage-2 translation is managed by the hypervisor to enforce isolation. GPT protection is part of ARM's Realm Management Extension, designed for confidential computing scenarios. The vulnerability allows these critical isolation mechanisms to be bypassed, potentially exposing protected memory regions.
Root Cause
The root cause lies in how the HPA feature processes translation table entries when both Stage-1 and Stage-2 translations are active. Under specific conditions, the hardware incorrectly aggregates page table entries in a manner that circumvents the Stage-2 translation checks or GPT protection enforcement. This represents a fundamental hardware design flaw in the memory management unit's handling of nested translation scenarios with HPA enabled.
Attack Vector
Exploitation of this vulnerability requires an attacker to have code execution capabilities within a guest virtual machine or a lower-privilege execution context on affected systems. The attacker would need to craft specific memory access patterns or page table configurations that trigger the erroneous HPA aggregation behavior.
The attack mechanism involves:
- Creating memory mappings with specific alignment and attributes that trigger HPA optimization
- Exploiting the timing or sequence of Stage-1/Stage-2 translation lookups
- Accessing memory regions that should be protected by Stage-2 translation or GPT
- Reading or modifying data belonging to other security domains (VMs, realms, or hypervisor)
Since no verified code examples are available, organizations should consult the ARM Security Center advisory for technical implementation details regarding detection and mitigation approaches.
Detection Methods for CVE-2024-5660
Indicators of Compromise
- Unusual memory access patterns from guest VMs targeting hypervisor or other VM memory regions
- Unexpected page table configurations with specific alignment characteristics designed to trigger HPA
- Guest VM attempts to access memory addresses outside allocated ranges
- Anomalous behavior in confidential computing workloads or realm-protected applications
Detection Strategies
- Monitor hypervisor logs for Stage-2 translation faults or unexpected memory access violations
- Implement hardware inventory auditing to identify systems running affected ARM processor families
- Deploy firmware version tracking to identify systems with unpatched processor microcode
- Enable hypervisor memory access tracing for critical workloads to detect boundary violation attempts
Monitoring Recommendations
- Audit system firmware versions across ARM-based infrastructure using automated inventory tools
- Monitor for security updates from ARM, silicon vendors, and hypervisor providers addressing this vulnerability
- Track cloud provider advisories if running workloads on ARM-based cloud instances (AWS Graviton, Azure Arm, Google Tau T2A)
- Implement anomaly detection for unexpected inter-VM memory access patterns in virtualized environments
How to Mitigate CVE-2024-5660
Immediate Actions Required
- Review your infrastructure inventory to identify systems using affected ARM Cortex or Neoverse processors
- Apply firmware and microcode updates from ARM and relevant silicon partners as they become available
- Consult hypervisor vendors (KVM, Xen, VMware, Hyper-V) for software mitigations specific to their platforms
- Consider disabling HPA feature via firmware configuration where operationally feasible until patches are available
- Prioritize patching systems hosting confidential computing workloads or multi-tenant virtualized environments
Patch Information
ARM has published a security advisory addressing this vulnerability. Organizations should apply firmware updates as they become available from ARM and downstream silicon partners. The ARM Security Center CVE-2024-5660 advisory provides authoritative guidance on available mitigations and firmware update information.
System administrators should work with their hardware vendors (Qualcomm, MediaTek, Samsung, Ampere, etc.) who incorporate these ARM designs into their SoCs, as firmware updates will be distributed through vendor-specific channels.
Workarounds
- Disable Hardware Page Aggregation (HPA) at the firmware level if supported by your platform
- Implement additional hypervisor-level memory isolation checks as a defense-in-depth measure
- Isolate sensitive workloads to systems with unaffected processor generations where possible
- Apply enhanced monitoring for systems that cannot be immediately patched
# Check if system uses affected ARM processor
cat /proc/cpuinfo | grep -i "CPU part"
# Cross-reference CPU part numbers with affected processor list
# Verify current firmware version on Linux systems
dmidecode -t bios | grep -i version
# Check for ARM processor family on mobile/embedded systems
cat /sys/devices/system/cpu/cpu0/regs/identification/midr_el1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
