CVE-2025-8774 is a vulnerability identified in the riscv-boom SonicBOOM processor core, specifically affecting versions 2.2.0 through 2.2.3. The vulnerability resides in an unspecified functionality within the L1 Data Cache Handler component. The core issue is an observable timing discrepancy that can be exploited by an attacker with local access. This timing discrepancy likely allows an attacker to infer sensitive information by measuring variations in cache access times, a classic side-channel attack vector. However, the attack complexity is considered high, and exploitation is difficult, requiring local privileges and precise timing measurements. No user interaction is needed, and the vulnerability does not affect confidentiality, integrity, or availability directly but could potentially leak sensitive data through side-channel analysis. The vendor has not responded to the disclosure, and no patches or mitigations have been published yet. The CVSS v4.0 base score is 2.0, indicating a low severity rating, reflecting the limited impact and high attack complexity. No known exploits are currently in the wild.

For European organizations, the impact of this vulnerability is generally low due to the high complexity of exploitation and the requirement for local access. However, organizations using riscv-boom SonicBOOM cores in sensitive embedded systems or critical infrastructure devices could face risks of side-channel data leakage, potentially exposing cryptographic keys or other sensitive information. This is particularly relevant for sectors such as telecommunications, defense, and critical infrastructure where RISC-V processors might be deployed in secure environments. The lack of vendor response and absence of patches increases the risk window. Additionally, the vulnerability could be leveraged by insider threats or attackers who have already gained limited local access, escalating their ability to extract sensitive data. Overall, the direct impact on confidentiality is limited but should not be ignored in high-security environments.

Given the absence of patches, European organizations should implement strict access controls to prevent unauthorized local access to systems running affected riscv-boom SonicBOOM cores. Employ hardware and software-based isolation techniques to limit the ability of untrusted code to execute on the same processor or share cache resources. Monitoring and anomaly detection for unusual timing measurement activities could help detect exploitation attempts. For new deployments, consider using updated or alternative processor cores that have addressed this vulnerability. Additionally, organizations should engage with vendors and the open-source community to track any forthcoming patches or mitigations. Where possible, apply microarchitectural mitigations such as cache partitioning or flushing to reduce timing side-channel leakage. Finally, conduct security audits focusing on side-channel risks in embedded systems using this processor.