Arbitrary Code Execution Vulnerability in AMD Firmware Products
CVE-2021-39298

8.8HIGH

Key Information:

Vendor: Amd
Status: 2nd Gen Epyc; 3rd Gen Epyc; Ryzen 2000 Series; Ryzen 3000 Series
Vendor: CVE Published:; 16 February 2022

What is CVE-2021-39298?

A security flaw has been identified in the interrupt handler of AMD's System Management Mode (SMM). This vulnerability could enable an attacker with elevated privileges to obtain access to the SMM, creating opportunities for arbitrary code execution. Such exploitation may allow malicious actors to circumvent security features embedded within the UEFI firmware, posing significant risks to the integrity and confidentiality of the system.

Affected Version(s)

2nd Gen EPYC x86 Various

3rd Gen EPYC x86 various

Ryzen 2000 Series x86 various

References

https://www.amd.com/en/corporate/product-security/bulleti...

vendor-advisory

https://www.amd.com/en/corporate/product-security/bulleti...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 16, 2022
Vulnerability Reserved
Aug 19, 2021

Amd

What is CVE-2021-39298?

Affected Version(s)

References

CVSS V3.1

Timeline