CVE-2026-5818 MCU Firmware Update Authentication Bypass on Caliptra Core

🗓️ 23 Jun 2026 23:50:06Reported by CaliptraType

CVE-2026-5818 enables Core firmware bypass during hitless updates due to faulty return check.

Reporter	Title	Published	Views	Family All 5
ATTACKERKB	CVE-2026-5818	23 Jun 202623:50	–	attackerkb
CVE	CVE-2026-5818	23 Jun 202623:50	–	cve
EUVD	EUVD-2026-38638	23 Jun 202623:50	–	euvd
NVD	CVE-2026-5818	24 Jun 202600:16	–	nvd
Positive Technologies	PT-2026-51609	23 Jun 202600:00	–	ptsecurity

[
  {
    "vendor": "Caliptra",
    "product": "Core Runtime Firmware",
    "collectionURL": "https://github.com/chipsalliance/caliptra-sw",
    "packageName": "Core Runtime Firmware",
    "modules": [
      "ActivateFirmwareCmd::activate_fw"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "2.0.0",
        "lessThanOrEqual": "2.0.1",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "2.1.0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "2.0.2",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "2.1.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
github	www.github.com/chipsalliance/caliptra-sw/security/advisories/GHSA-456r-gcjr-6rxq

23 Jun 2026 23:50Current

CVSS 47.2

CWE-253