CWE-1314: Missing Write Protection for Parametric Data Values
The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.
Last updated
Overview
Various sensors are used by hardware to detect any devices operating outside of the design limits. The threshold limit values are set by hardware fuses or trusted software such as the BIOS. These limits may be related to thermal, power, voltage, current, and frequency. Hardware mechanisms may be used to protect against alteration of the threshold limit values by untrusted software. The limit values are generally programmed in standard units for the type of value being read. However, the hardware-sensor blocks may report the settings in different units depending upon sensor design and operation. The raw sensor output value is converted to the desired units using a scale conversion based on the parametric data programmed into the sensor. The final converted value is then compared with the previously programmed limits. While the limit values are usually protected, the sensor parametric data values may not be. By changing the parametric data, safe operational limits may be bypassed.
Real-world CVEs
1 recorded CVEs are caused by CWE-1314 (Missing Write Protection for Parametric Data Values). The highest-severity and most recent are shown first. 1 new CWE-1314 CVE has been recorded so far in 2026.
Common consequences
What can happen when CWE-1314 is exploited.
Quality Degradation, DoS: Resource Consumption (Other)
Affects: Availability
Sensor value manipulation, particularly thermal or power, may allow physical damage to occur or disabling of the device by a false fault shutdown causing a Denial-Of-Service.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-1314, grouped by where in the lifecycle they apply.
Access controls for sensor blocks should ensure that only trusted software is allowed to change threshold limits and sensor parametric data.
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Malicious software executes instructions to increase power consumption to the highest possible level while causing the clock frequency to increase to its maximum value. Such a program executing for an extended period of time would likely overheat the device, possibly resulting in permanent damage to the device.
A ring, oscillator-based temperature sensor will generally report the sensed value as oscillator frequency rather than degrees centigrade. The temperature sensor will have calibration values that are used to convert the detected frequency into the corresponding temperature in degrees centigrade.
Consider a SoC design where the critical maximum temperature limit is set in fuse values to 100C and is not modifiable by software. If the scaled thermal sensor output equals or exceeds this limit, the system is commanded to shut itself down.
The thermal sensor calibration values are programmable through registers that are exposed to system software. These registers allow software to affect the converted temperature output such that the output will never exceed the maximum temperature limit.
Vulnerable example
Sensed Temp = a + b * Sensor FreqSafe example
Sensed Temp = a + b * Sensor FreqThis weakness may be addressed by preventing access to a and b.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2017-8252 — Kernel can inject faults in computations during the execution of TrustZone leading to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice and Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1314.
- What is CWE-1314?
- The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.
- What CVEs are caused by CWE-1314?
- 1 recorded CVEs are attributed to CWE-1314, including CVE-2026-40188.
- How do you prevent CWE-1314?
- Access controls for sensor blocks should ensure that only trusted software is allowed to change threshold limits and sensor parametric data.
- What are the consequences of CWE-1314?
- Exploiting CWE-1314 can lead to: Quality Degradation, DoS: Resource Consumption (Other).
- Is CWE-1314 actively exploited?
- 1 recorded CVEs are caused by CWE-1314; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1314) (opens in a new tab)
- CWE-1314 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1314
Get alerted the moment a new CWE-1314 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.