Multiple vulnerabilities in various AMD processors
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 28 |
| CVE-ID | CVE-2020-12951 CVE-2021-26382 CVE-2021-26384 CVE-2021-26368 CVE-2020-12944 CVE-2021-26362 CVE-2021-26390 CVE-2021-26351 CVE-2021-26352 CVE-2021-26337 CVE-2021-26317 CVE-2021-26336 CVE-2021-26386 CVE-2021-26369 CVE-2021-26366 CVE-2021-26363 CVE-2021-26361 CVE-2020-12946 CVE-2021-39298 CVE-2021-26335 CVE-2021-26373 CVE-2021-26376 CVE-2021-26375 CVE-2021-26378 CVE-2021-26372 CVE-2021-26339 CVE-2021-26388 CVE-2021-26312 |
| CWE-ID | CWE-362 CWE-254 CWE-787 CWE-20 CWE-119 CWE-345 CWE-264 CWE-200 CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
AMD Ryzen 2000 series Desktop processor Hardware solutions / Firmware AMD Ryzen 3000 Series Desktop processor Hardware solutions / Firmware AMD Ryzen 5000 Series Desktop processor Hardware solutions / Firmware 3rd Gen AMD Ryzen Threadripper processors Hardware solutions / Firmware AMD Ryzen Threadripper PRO processors Hardware solutions / Firmware AMD Ryzen 3000 Series Mobile processor Hardware solutions / Firmware 2nd Gen AMD Ryzen Mobile processor with Radeon graphics Hardware solutions / Firmware AMD Athlon 3000 Series Mobile processors with Radeon Graphics Hardware solutions / Firmware AMD Ryzen 3000 Series Mobile processor with Radeon graphics Hardware solutions / Firmware AMD Ryzen 5000 Series Mobile processor with Radeon graphics Hardware solutions / Firmware AMD Ryzen 5000 Series Desktop processor with Radeon graphics Hardware solutions / Firmware AMD Ryzen 2000 Series Mobile processor Hardware solutions / Firmware 2nd Gen AMD Ryzen Threadripper processors Hardware solutions / Firmware |
| Vendor | AMD |
Security Bulletin
This security bulletin contains information about 28 vulnerabilities.
1) Race condition
EUVDB-ID: #VU63738
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12951
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition in ASP firmware. A local user can exploit the race and perform ASP SMM (System Management Mode) operations.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security features bypass
EUVDB-ID: #VU63746
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26382
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to missing verification of the signing key when processing ACP firmware images. A local privileged user can load any legitimately signed firmware image into the Audio
Co-Processor (ACP) irrespective of the respective signing key being
declared as usable for authenticating an ACP firmware image, and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds write
EUVDB-ID: #VU63745
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26384
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in System Management Interface. A local user can run a specially crafted SMI command to establish a corrupted SMI Trigger Info data structure and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU63744
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26368
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient check of the process type in Trusted OS (TOS). A local user can enable a lesser privileged process to unmap memory owned by a higher privileged process and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU63743
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12944
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing BIOS image length in ASP Firmware. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU63742
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26362
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A malicious or compromised UApp or ABL can
issue a malformed system call, which results in mapping sensitive System
Management Network (SMN) registers, and escalate privileges on the system.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Buffer overflow
EUVDB-ID: #VU63741
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26390
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error. A malicious or compromised UApp or ABL can trigger memory corruption and execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU63740
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26351
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient DRAM address validation in System Management Unit (SMU). A local user can force DMA (Direct Memory Access) to read or write from/to invalid DRAM address and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer overflow
EUVDB-ID: #VU63739
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26352
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in System Management Unit (SMU) PCIe Hot Plug table. A local user can trigger memory corruption and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU63737
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26337
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient DRAM address validation in System Management Unit (SMU). A local user can force DMA to read from invalid DRAM address to SRAM and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Insufficient verification of data authenticity
EUVDB-ID: #VU63727
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26317
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to failure to verify the protocol in AMD System Management Mode (SMM). A local user can modify SPI flash and execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Buffer overflow
EUVDB-ID: #VU63736
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26336
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in System Management Unit (SMU). A local user can trigger memory corruption and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Buffer overflow
EUVDB-ID: #VU63735
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26386
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error. A malicious or compromised UApp or ABL can
issue a malformed system call to the Stage 2 Bootloader, trigger memory corruption and execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Out-of-bounds write
EUVDB-ID: #VU63734
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26369
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error. A malicious or compromised UApp or ABL can
send a malformed system call to the bootloader and escalate privileges on the system.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU63733
Risk: Low
CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26366
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to unspecified error. A local privileged user can read data from Boot ROM resulting in a loss of system integrity.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU63732
Risk: Low
CVSSv3.1: 3.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26363
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to improper access restrictions. A malicious or compromised UApp or ABL can modify value used by ASP for its reserved DRAM to one outside of the
fenced area and gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Information disclosure
EUVDB-ID: #VU63731
Risk: Low
CVSSv3.1: 3.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26361
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to unspecified error. A malicious or compromised User Application (UApp) or AGESA Boot Loader (ABL) can be used to exfiltrate arbitrary memory from the ASP stage 2 bootloader potentially leading to information disclosure.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Input validation error
EUVDB-ID: #VU63730
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12946
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in ASP firmware for discrete TPM commands. A local user can perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Security features bypass
EUVDB-ID: #VU63729
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-39298
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to unspecified error in AMD System Management Mode (SMM) interrupt handler. A local privileged user can bypass security mechanisms provided in the UEFI firmware and execute arbitrary code.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Input validation error
EUVDB-ID: #VU63728
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26335
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the AMD Secure Processor (ASP) boot loader image header. A local user can escalate privileges on the system.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:*
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Buffer overflow
EUVDB-ID: #VU63678
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26373
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the System Management Unit (SMU). A local user can trigger a system voltage malfunction and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 2000 series Desktop processor: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Input validation error
EUVDB-ID: #VU63680
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26376
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in System Management Unit (SMU) FeatureConfig. A local user can re-enable certain features, which can lead to denial of service.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Buffer overflow
EUVDB-ID: #VU63681
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26375
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in System Management Unit (SMU). A local user can trigger memory corruption and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Buffer overflow
EUVDB-ID: #VU63682
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26378
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Buffer overflow
EUVDB-ID: #VU63683
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26372
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
Description
The vulnerability allows a local user to perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 2000 series Desktop processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Input validation error
EUVDB-ID: #VU63684
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26339
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in the AMD CPU’s core logic when using specific code from an unprivileged VM. A remote user with low-privileged access to guest OS can send a specific x86 instruction sequence that triggers CPU core hang.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 5000 Series Desktop processor with Radeon graphics: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Out-of-bounds read
EUVDB-ID: #VU63687
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26388
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in the BIOS directory that allows for searches to read beyond the directory table copy in RAM. A local user can perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 2000 series Desktop processor: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
2nd Gen AMD Ryzen Threadripper processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Out-of-bounds write
EUVDB-ID: #VU63690
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-26312
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error caused by failure to flush the Translation Lookaside Buffer (TLB) of the I/O memory management unit (IOMMU). A local user can force an IO device to write to memory it should not be able to access and execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsAMD Ryzen 5000 Series Mobile processor with Radeon graphics: All versions
AMD Ryzen 3000 Series Mobile processor with Radeon graphics: All versions
2nd Gen AMD Ryzen Mobile processor with Radeon graphics: All versions
AMD Ryzen 3000 Series Mobile processor: All versions
AMD Ryzen Threadripper PRO processors: All versions
AMD Ryzen 5000 Series Desktop processor: All versions
AMD Ryzen 3000 Series Desktop processor: All versions
AMD Ryzen 2000 series Desktop processor: All versions
AMD Athlon 3000 Series Mobile processors with Radeon Graphics: All versions
AMD Ryzen 2000 Series Mobile processor: All versions
3rd Gen AMD Ryzen Threadripper processors: All versions
CPE2.3- cpe:2.3:h:amd:amd_ryzen_5000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:2nd_gen_amd_ryzen_mobile_processor_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_mobile_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_threadripper_pro_processors:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_5000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_3000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_2000_series_desktop_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_athlon_3000_series_mobile_processors_with_radeon_graphics:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:amd_ryzen_2000_series_mobile_processor:*:*:*:*:*:*:*:
- cpe:2.3:h:amd:3rd_gen_amd_ryzen_threadripper_processors:*:*:*:*:*:*:*:
http://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
