Multiple vulnerabilities in AMD Ryzen AI Software
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2024-21974 CVE-2024-21975 CVE-2024-21976 CVE-2024-21949 |
| CWE-ID | CWE-20 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
AMD Ryzen AI Hardware solutions / Firmware |
| Vendor | AMD |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU100526
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-21974
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the NPU driver. A local user can pass specially crafted input to the application and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAMD Ryzen AI: before 1.2
CPE2.3 External linkshttp://www.amd.com/en/resources/product-security/bulletin/amd-sb-7017.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU100527
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-21975
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the NPU driver. A local user can pass specially crafted input to the application and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAMD Ryzen AI: before 1.2
CPE2.3 External linkshttp://www.amd.com/en/resources/product-security/bulletin/amd-sb-7017.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU100529
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-21976
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the NPU driver. A local user can pass specially crafted input to the application and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAMD Ryzen AI: before 1.2
CPE2.3 External linkshttp://www.amd.com/en/resources/product-security/bulletin/amd-sb-7017.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU100530
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-21949
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the NPU driver. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAMD Ryzen AI: before 1.2
CPE2.3 External linkshttp://www.amd.com/en/resources/product-security/bulletin/amd-sb-7017.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
