CVE-2021-27562 — Arm Trusted Firmware

Arm Trusted Firmware Out-of-Bounds Write Vulnerability

Added to KEV

2021-11-03

Federal due date

2021-11-17

Vendor

Arm

Product

Trusted Firmware

EPSS

93.5th percentile (score 0.109, as of 2026-06-08)

NVD CVSS v3.1

5.5 (MEDIUM)

Ransomware use

Unknown

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2021-27562

CISA short description

Arm Trusted Firmware contains an out-of-bounds write vulnerability allowing the non-secure (NS) world to trigger a system halt, overwrite secure data, or print out secure data when calling secure functions under the non-secure processing environment (NSPE) handler mode. This vulnerability affects Yealink Device Management servers.

Required action

Apply updates per vendor instructions.

NVD description

In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mode.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.