TOCTOU Vulnerability in AMD Bootloader Affects SPI ROM Integrity
CVE-2021-26356

7.4HIGH

Key Information:

Vendor
Amd
Status
Ryzen™ 3000 Series Desktop Processors “matisse” Am4
Amd Ryzen™ 5000 Series Desktop Processors “vermeer” Am4
3rd Gen Amd Ryzen™ Threadripper™ Processors “castle Peak” Hedt
Ryzen™ Threadripper™ Pro Processors “castle Peak” Ws
Vendor
CVE Published:
9 May 2023

Summary

A time-of-check to time-of-use (TOCTOU) vulnerability exists in the AMD ASP bootloader. This issue may allow an attacker to manipulate the SPI ROM after reading data into memory, which can lead to potential S3 data corruption and unintended information disclosure.

Affected Version(s)

1st Gen AMD EPYC™ Processors x86 various

2nd Gen AMD EPYC™ Processors x86 various

3rd Gen AMD EPYC™ Processors x86 various

References

https://www.amd.com/en/corporate/product-security/bulleti...
vendor-advisory
https://www.amd.com/en/corporate/product-security/bulleti...
vendor-advisory

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.