CVE-2021-26356

CWE-3673 documents3 sources

Severity

7.4HIGH

EPSS

0.2%

top 60.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

AMD Epyc 7001 Firmware AMD Epyc 7002 Firmware AMD Epyc 7232p Firmware +77 more

Timeline

PublishedMay 9

Description

A TOCTOU in ASP bootloader may allow an attacker to tamper with the SPI ROM following data read to memory potentially resulting in S3 data corruption and information disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages80 packages

▶CVEListV5amd/ryzen™_threadripper™_pro_processors_“chagall”_wsvarious

▶CVEListV5amd/ryzen™_threadripper™_pro_processors_“castle_peak”_wsvarious

▶CVEListV5amd/3rd_gen_amd_ryzen™_threadripper™_processors_“castle_peak”_hedtvarious

▶NVDamd/epyc_7001_firmware< naplespi_1.0.0.h

▶NVDamd/epyc_7002_firmware< romepi_1.0.0.d

🔴Vulnerability Details

GHSA

GHSA-8c2m-2hmv-32px: A TOCTOU in ASP bootloader may allow an attacker to tamper with the SPI ROM following data read to memory potentially resulting in S3 data corruption↗2023-05-09

▶

CVEList

CVE-2021-26356: A TOCTOU in ASP bootloader may allow an attacker to tamper with the SPI ROM following data read to memory potentially resulting in S3 data corruption↗2023-05-09

▶