Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Critical

Privilege escalation in Arm CPUs due to TLBI completion erratum

IdentifiersCVE-2025-10263CWE-269

CVE-2025-10263 is a hardware vulnerability affecting multiple Arm CPU families, including Arm C1-Ultra, C1-Premium, Neoverse V3/V3AE, V2, V1, N2, N1, Cortex-X925, Cortex-X4/X3/X2/X1/X1C, Cortex-A710, Cortex-A78/A78AE/A78C, Cortex-A77, Cortex-A76/A76AE, and NVIDIA Olympus. The issue is an Arm TLBI-related erratum in which completion of affected memory accesses is not guaranteed by completion of a Translation Lookaside Buffer Invalidate (TLBI) sequence and associated DSB. Under specific timing and multi-processing conditions, a broadcast TLBI;DSB sequence can complete before writes translated by an affected TLB entry are globally observed. This can leave a transient window where stale translation or permission state is effectively still usable, allowing software to write to memory after page-table or stage-2 permissions have been changed to forbid writes. Arm describes the consequence as possible writes to resources owned by a higher exception level; Xen further notes possible bypass of Stage 1 translation, Stage 2 translation, or GPT protection.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can permit unauthorized writes across privilege boundaries, potentially enabling privilege escalation to a higher exception level. In virtualized Arm environments, Xen states a malicious guest may be able to write to memory after Stage 2 permissions have been revoked and escalate privileges to the hypervisor. More generally, the flaw undermines memory isolation and translation-permission enforcement, with high confidentiality and integrity impact. The provided context reports CVSS v3.1 9.1.

Mitigation

If you can’t patch tonight, do this now.

Where patches are not yet applied, reduce exposure by prioritizing updates on affected Arm multi-core systems, especially virtualization hosts running Xen on Arm. For Xen, the advisory states there is no known workaround short of applying the provided patches. FreeBSD advisory context states no workaround is available. Operationally, limit untrusted guest or low-privilege code execution on affected systems until fixes are deployed.

Remediation

Patch, then assume compromise.

Apply vendor fixes for affected platforms. Arm states software performing TLB invalidation for Stage 1 or Stage 1+Stage 2 information must perform an additional TLBI and DSB sequence, with the exact sequence documented in CPU-specific errata. Apply updated Linux kernel, Xen, Trusted Firmware-A, firmware, BIOS, microcode, or platform packages from the relevant vendor or OS distributor. Examples in the provided context include Linux arm64 mitigations using ARM64_WORKAROUND_REPEAT_TLBI, Xen patches for XSA-493 on supported stable branches, FreeBSD updates on corrected branches, and vendor firmware/platform updates for affected implementations including NVIDIA Olympus.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ArmA76Ahardware
ArmA78Aehardware
ArmA78Chardware
ArmC1-Premiumhardware
ArmC1-Ultrahardware
ArmCortex-A710hardware
ArmCortex-A76hardware
ArmCortex-A77hardware
ArmCortex-A78hardware
ArmCortex-X1hardware
ArmCortex-X1chardware
ArmCortex-X2hardware
ArmCortex-X3hardware
ArmCortex-X4hardware
ArmCortex-X925hardware
ArmNeoverse N1hardware
ArmNeoverse N2hardware
ArmNeoverse-V1hardware
ArmNeoverse-V2hardware
ArmNeoverse-V3hardware
ArmNeoverse-V3aehardware
FreebsdFreebsdapplication
Microsoft CorporationWindowsoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

49 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

49 SOURCESView more in app
+13 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity31

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-10263
NVD
nvd.nist.gov/vuln/detail/CVE-2025-10263
MITRE CWE · CWE-269
cwe.mitre.org
openwall.com
openwall.com/lists/oss-security/2026/06/09/13
xenbits.xen.org
xenbits.xen.org/xsa/advisory-493.html
developer.arm.com
developer.arm.com/documentation/112137