Mitigating security vulnerability CVE-2020-16273

Technical Note 201016






10/16/2020 6:12 PM


A potential security vulnerability has been discovered relating to the management of secure stacks on Arm v8-M devices with security extensions, known as TrustZone.

This is not a hardware issue and Arm has devised a simple software solution.

This document describes how IAR Systems is addressing the issue and what a developer can do to mitigate the issue.


For a description of the issue, see CVE-2020-16237 and Arm Security Advisory Note.

Future releases of IAR Embedded Workbench for Arm will have updated startup files for all Cortex-M devices and also for devices without TrustZone. A developer using non-standard or legacy startup files can update the startup with the following short preamble to the startup:

movw r0, #0xeda5
movt r0, #0xfef5
mov r1, r0
push {r0, r1}
mov r0, sp
msr PSP, r0


With the recommended solution in this document, the secure stacks will be sealed against secure stack underflows.


All product names are trademarks or registered trademarks of their respective owners.

We do no longer support Internet Explorer. To get the best experience of, we recommend upgrading to a modern browser such as Chrome or Edge.