CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code
The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.
Last updated
Overview
Adversaries could bypass the secure-boot process and execute their own untrusted, malicious boot code. As a part of a secure-boot process, the read-only-memory (ROM) code for a System-on-Chip (SoC) or other system fetches bootloader code from Non-Volatile Memory (NVM) and stores the code in Volatile Memory (VM), such as dynamic, random-access memory (DRAM) or static, random-access memory (SRAM). The NVM is usually external to the SoC, while the VM is internal to the SoC. As the code is transferred from NVM to VM, it is authenticated by the SoC's ROM code.
Real-world CVEs
9 recorded CVEs are caused by CWE-1274 (Improper Access Control for Volatile Memory Containing Boot Code). The highest-severity and most recent are shown first. 3 new CWE-1274 CVEs have been recorded so far in 2026 (4 in 2025).
- CVE-2022-2482High · CVSS 8.8 · EPSS 11th2023-01-06
- CVE-2022-2484High · CVSS 8.4 · EPSS 12th2023-01-06
- CVE-2025-59404High · CVSS 7.5 · EPSS 32th2025-09-25
- CVE-2023-31345High · CVSS 7.5 · EPSS 8th2025-02-11
- CVE-2025-29950High · CVSS 7.1 · EPSS 4th2026-02-10
- CVE-2025-59694Medium · CVSS 6.8 · EPSS 18th2025-12-02
- CVE-2025-65396Medium · CVSS 6.1 · EPSS 8th2026-01-14
- CVE-2025-4043
Milesight UG65-868M-EA Improper Access Control for Volatile Memory Containing Boot Code
Medium · CVSS 6.1 · EPSS 21th2025-05-07 - CVE-2024-36345Medium · CVSS 4.6 · EPSS 1th2026-05-15
Common consequences
What can happen when CWE-1274 is exploited.
Modify Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity
Affects: Access Control, Integrity
If the volatile-memory-region protections or access controls are insufficient to prevent modifications from an adversary or untrusted agent, the secure boot may be bypassed or replaced with the execution of an adversary's code.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1274, grouped by where in the lifecycle they apply.
Ensure that the design of volatile-memory protections is enough to prevent modification from an adversary or untrusted code.
Test the volatile-memory protections to ensure they are safe from modification or untrusted code.
How to detect it
Manual Analysis
Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.
Effectiveness: High
Manual Analysis
Analyze the device using the following steps:
Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.
Effectiveness: Moderate
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
A typical SoC secure boot's flow includes fetching the next piece of code (i.e., the boot loader) from NVM (e.g., serial, peripheral interface (SPI) flash), and transferring it to DRAM/SRAM volatile, internal memory, which is more efficient.
The memory from where the boot loader executes can be modified by an adversary.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2019-2267 — Locked memory regions may be modified through other interfaces in a secure-boot-loader image due to improper access control.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1274.
- What is CWE-1274?
- The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.
- What CVEs are caused by CWE-1274?
- 9 recorded CVEs are attributed to CWE-1274, including CVE-2022-2482, CVE-2022-2484, CVE-2025-59404.
- How do you prevent CWE-1274?
- Ensure that the design of volatile-memory protections is enough to prevent modification from an adversary or untrusted code.
- How is CWE-1274 detected?
- Manual Analysis: Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.
- What are the consequences of CWE-1274?
- Exploiting CWE-1274 can lead to: Modify Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity.
- Is CWE-1274 actively exploited?
- 9 recorded CVEs are caused by CWE-1274; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1274) (opens in a new tab)
- CWE-1274 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1274
Get alerted the moment a new CWE-1274 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.