Incomplete Memory Cleanup in SEV Firmware Could Lead to Data Integrity Loss
CVE-2023-31356

4.4MEDIUM

Key Information:

Vendor

Amd
Status
Amd Epyc™ 7003 Processors
Amd Epyc™ 9004 Processors
Amd Epyc™ Embedded 7003
Amd Epyc™ Embedded 9004
Vendor
CVE Published:
13 August 2024

What is CVE-2023-31356?

Incomplete memory cleanup in AMD's SEV (Secure Encrypted Virtualization) firmware poses a significant risk where a privileged attacker may exploit this flaw to corrupt guest private memory. This vulnerability can lead to potential loss of data integrity, compromising the confidentiality and reliability of virtualized environments.

Affected Version(s)

AMD EPYC™ 7003 Processors MilanPI 1.0.0.C

AMD EPYC™ 9004 Processors GenoaPI 1.0.0.B

AMD EPYC™ Embedded 7003 "EmbMilanPI-SP3 1.0.0.8"

References

https://www.amd.com/en/resources/product-security/bulleti...
vendor-advisory
https://www.amd.com/en/resources/product-security/bulleti...

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.