A critical security vulnerability, tracked as CVE-2025-10263, was publicly disclosed on June 9, 2026, affecting a wide range of Arm CPU cores spanning multiple generations — from current high-performance server designs down to several earlier mobile and client cores. Although the CVE number was assigned in 2025, Arm withheld public disclosure until now.

Security Summary

CVE-2025-10263 allows local privilege escalation by exploiting a timing condition during memory permission changes. Specifically, the completion of affected memory accesses is not strictly guaranteed by the completion of a TLB invalidation (TLBI) operation, enabling potential unauthorized writes to resources owned by a higher exception level.

Root Cause

The vulnerability is rooted in a subtle architectural behavior: under certain conditions involving a TLB Invalidation (TLBI) operation, memory accesses that should be complete before a permission change takes effect may not have actually finished. This gap creates a window in which an attacker can write to resources that belong to a higher privilege level — providing a local privilege escalation path.

Arm’s security bulletin describes the issue in detail. The key consequence is that software performing TLB invalidation operations cannot rely solely on the TLBI completion signal to guarantee that all affected memory accesses have concluded.

Affected CPU Cores

The scope of affected hardware is broad, covering Arm’s latest server and data-center-class cores as well as numerous generations of high-performance mobile and client designs.

Latest Generation
C1-Ultra C1-Premium
Neoverse (Server / Data Center)
Neoverse V3 Neoverse V3AE Neoverse V2 Neoverse V1 Neoverse N2 Neoverse N1
Cortex-X (High-Performance Mobile / Client)
Cortex-X925 Cortex-X4 Cortex-X3 Cortex-X2 Cortex-X1 Cortex-X1C
Cortex-A (Performance Mobile / Client)
Cortex-A710 Cortex-A78 Cortex-A78AE Cortex-A78C Cortex-A77 Cortex-A76 Cortex-A76AE
NVIDIA (Third-Party Confirmation)
Olympus (NVIDIA Vera CPU)

Software Mitigation

Arm has documented a software-level workaround in its security bulletin. The prescribed fix is straightforward: any software performing a TLB invalidation that applies to stage 1, or stage 1 and stage 2, page table information must follow that TLBI with an additional TLBI paired with a DSB (Data Synchronization Barrier). This ensures that all relevant memory accesses are fully completed before any permission change takes effect, closing the window the vulnerability exploits.

Required mitigation pattern (per Arm bulletin): For TLBI operations on stage 1 (or stage 1 + stage 2): 1. Perform the initial TLBI 2. Issue an additional TLBI 3. Follow with a DSB This ensures affected memory accesses complete before any permission change is observable.

Linux Kernel Response

The Linux community responded on the same day as the public disclosure. Arm engineers submitted a patch series to the Linux kernel mailing list, adjusting relevant code paths to ensure that the required TLBI and DSB instructions are inserted at all points in the kernel where TLB invalidations are performed under affected conditions. The patch series was submitted to the mainline kernel and is expected to flow down to users through stable-kernel updates and distribution security releases.

Separately, NVIDIA submitted its own follow-up patch to the Linux kernel mailing list, confirming that the Olympus core — used in NVIDIA’s next-generation Vera CPU — exhibits the same issue. NVIDIA’s patch implements the same upstream mitigation, aligning the Olympus-specific code paths with the general Arm fix.

NVIDIA Vera Affected

The confirmation that NVIDIA’s Olympus core is vulnerable extends the impact beyond Arm’s own IP. The Vera CPU, built around the Olympus core and aimed at the AI infrastructure and HPC market, will require the same kernel mitigations as mainstream Arm server hardware. NVIDIA’s patch submission indicates the company is actively tracking the upstream fix and has already introduced corresponding mitigations.

Practical Risk and Recommended Actions

Because the vulnerability enables writes to higher-privilege resources under specific timing conditions, it provides a theoretical local privilege escalation path — justifying its “critical” severity rating. As of this writing, no large-scale exploitation has been publicly reported, and the industry focus is on completing kernel and system-software mitigations before any attack tooling emerges.

For Linux users and system administrators, the most urgent action is to monitor kernel update channels from major distributions — including Debian, Ubuntu, Fedora, RHEL, and others — and deploy patched kernels as soon as they become available. Cloud service providers, data center operators, and device manufacturers running affected Arm platforms should also audit their hardware configurations and workloads against Arm’s published bulletin, and track the mitigation guidance released by both Arm and the Linux kernel community.