CVE-2025-25050
An out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality of Dell ControlVault3 5.14.3.0. A specially crafted ControlVault API call can lead to an out-of-bounds write. An attacker can issue an api call to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Broadcom BCM5820X
Dell ControlVault3 5.14.3.0
Dell ControlVault3 Driver and Firmware prior to 5.15.10.14
Dell ControlVault3 Plus Driver and Firmware prior to 6.2.26.36
ControlVault3 - https://dell.com/ BCM5820X - https://www.broadcom.com/products/embedded-and-networking-processors/secure/bcm5820x
8.7 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
CWE-787 - Out-of-bounds Write
Dell ControlVault is a hardware based solution that can securely store passwords, biometric templates and security codes. It can interface with smart cards, Near-field Communication (NFC) devices and fingerprint readers. The hardware solution is based on the Broadcom BCM5820X chip series.
On Windows, any low privilege user can interface with the ControlVault3 hardware. In order to do so, a userland dll bcmbipdll.dll can be used to talk with the device driver cvusbdrv.sys which in turns talk over USB to the ARM firmware running on the BCM5820X chip implementing the secure context. First, a session needs to be created calling the cv_open function, which will return a pointer to a session object. This session object lives in a dedicated heap of ARM Firmawre
Firmware side, the cv_upgrade_sensor_firmware will take encrypted chunks of data, decrypt them using hardcoded keys, and store the result in global memory that is also used for the so called “Large Heap” associated with the fingerprint reader. The purpose of this function is to update the firmware of the fingerprint reader.
DECRYPT_CHUNK:
log_stuff("Decrypting chunk\n");
chunk_dst = (globals->CV_VOLATILE_DATA->fpc_fw_cur_size + get_fpc_LargeHeap());
if ( cv_sensorfw_decrypt(UNUSED_ARG(), firmwareChunk, firmwareChunkLength, chunk_dst, bLastChunk, &v21) )
{
log_stuff("cv_sensorfw_decrypt failed with error %d\n");
return 14;
}
if ( !bLastChunk )
{
v20 = 0;
log_stuff("Decrypted %d bytes to 0x%08x\n", firmwareChunkLength, chunk_dst);
globals->CV_VOLATILE_DATA->fpc_fw_cur_size += firmwareChunkLength;
return v20;
}
log_stuff("Decrypted %d bytes (last chunk) to 0x%08x\n", v21, chunk_dst);
globals->CV_VOLATILE_DATA->fpc_fw_cur_size += v21;
}
The code used for upgrading the sensor firmware leverages the same memory area as the one used for handling some of the data pertaining to the fingerprint reader. The code lacks any bound check to prevent too much data from being sent. Furthermore, at the edge of the last mapped memory region, pointers are stored to define the so called open_volatile_mem region, which is then used to store related volatile data and other buffers. It appears that the firmware crashes before being able to overwrite this pointer, but the mechanism causing this is unclear (our working assumption is the crypto processor is trying to cache memory beyond the provided buffer, which happened to be unmapped in our case). Regardless, potentially overwriting data within a heap allocation, and hitting unmapped memories are signs an attacker might be able to leverage these bugs for nefarious purposes (beyond triggering a crash).
The provided proof of concept will only cause a crash of the firmware, but it is possible other firmware revision with different memory mapping or other attack methods could lead to overwriting critical parts of the memory and lead to further memory coruption and arbitrary code execution.
Vendor advisory: https://www.dell.com/support/kbdoc/en-us/000276106/dsa-2025-053
2025-01-28 - Vendor Disclosure
2025-06-13 - Vendor Patch Release
2025-08-09 - Public Release
Discovered by Philippe Laulheret of Cisco Talos.