CWE-1310: Missing Ability to Patch ROM Code
Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.
Last updated
Overview
A System or System-on-Chip (SoC) that implements a boot process utilizing security mechanisms such as Root-of-Trust (RoT) typically starts by executing code from a Read-only-Memory (ROM) component. The code in ROM is immutable, hence any security vulnerabilities discovered in the ROM code can never be fixed for the systems that are already in use. A common weakness is that the ROM does not have the ability to patch if security vulnerabilities are uncovered after the system gets shipped. This leaves the system in a vulnerable state where an adversary can compromise the SoC.
Real-world CVEs
1 recorded CVEs are caused by CWE-1310 (Missing Ability to Patch ROM Code). The highest-severity and most recent are shown first. 0 new CWE-1310 CVEs have been recorded so far in 2026 (1 in 2025).
Common consequences
What can happen when CWE-1310 is exploited.
Varies by Context, Reduce Maintainability
Affects: Other
When the system is unable to be patched, it can be left in a vulnerable state.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.