Insufficient Bounds Checking in AMD ASP Products
CVE-2021-26354

5.5MEDIUM

Key Information:

Vendor: Amd
Status: Ryzen™ 2000 Series Desktop Processors “raven Ridge” Am4; Ryzen™ 2000 Series Desktop Processors “pinnacle Ridge”; Ryzen™ 3000 Series Desktop Processors “matisse” Am4; Amd Ryzen™ 5000 Series Desktop Processors “vermeer” Am4
Vendor: CVE Published:; 9 May 2023

Summary

A vulnerability exists in AMD's ASP due to insufficient bounds checking. This flaw may allow an attacker to execute system calls from a compromised ABL, leading to the potential initialization of arbitrary memory values to zero. Such actions could ultimately result in significant integrity issues within affected systems, highlighting the need for immediate security updates to mitigate potential exploits.

Affected Version(s)

2nd Gen AMD EPYC™ Processors x86 various

2nd Gen AMD Ryzen™ Threadripper™ Processors “Colfax” x86 various

3rd Gen AMD EPYC™ Processors x86 various

References

https://www.amd.com/en/corporate/product-security/bulleti...

vendor-advisory

https://www.amd.com/en/corporate/product-security/bulleti...

vendor-advisory

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 9, 2023
Vulnerability Reserved
Jan 29, 2021