Insufficient Bounds Checking in AMD ASP Products
CVE-2021-26354

5.5MEDIUM

Key Information:

Vendor

Amd
Status
Ryzen™ 2000 Series Desktop Processors “raven Ridge” Am4
Ryzen™ 2000 Series Desktop Processors “pinnacle Ridge”
Ryzen™ 3000 Series Desktop Processors “matisse” Am4
Amd Ryzen™ 5000 Series Desktop Processors “vermeer” Am4
Vendor
CVE Published:
9 May 2023

What is CVE-2021-26354?

A vulnerability exists in AMD's ASP due to insufficient bounds checking. This flaw may allow an attacker to execute system calls from a compromised ABL, leading to the potential initialization of arbitrary memory values to zero. Such actions could ultimately result in significant integrity issues within affected systems, highlighting the need for immediate security updates to mitigate potential exploits.

Affected Version(s)

2nd Gen AMD EPYC™ Processors x86 various

2nd Gen AMD Ryzen™ Threadripper™ Processors “Colfax” x86 various

3rd Gen AMD EPYC™ Processors x86 various

References

https://www.amd.com/en/corporate/product-security/bulleti...
vendor-advisory
https://www.amd.com/en/corporate/product-security/bulleti...
vendor-advisory

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.