CVE-2021-26396Insufficient Verification of Data Authenticity in AMD Epyc 7003 Firmware

CWE-345Insufficient Verification of Data Authenticity3 documents3 sources
Severity
4.4MEDIUMNVD
EPSS
0.0%
top 92.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
25
AMD Epyc 7003 FirmwareAMD Epyc 72f3 FirmwareAMD Epyc 7313 Firmware+22 more
Timeline
PublishedJan 11

Description

Insufficient validation of address mapping to IO in ASP (AMD Secure Processor) may result in a loss of memory integrity in the SNP guest.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 1.8 | Impact: 2.5

Affected Packages25 packages

NVDamd/epyc_7003_firmware< milanpi-sp3_1.0.0.9
NVDamd/epyc_72f3_firmware< milanpi-sp3_1.0.0.9
NVDamd/epyc_7313_firmware< milanpi-sp3_1.0.0.9
NVDamd/epyc_7343_firmware< milanpi-sp3_1.0.0.9
NVDamd/epyc_73f3_firmware< milanpi-sp3_1.0.0.9

🔴Vulnerability Details

2
GHSA
GHSA-82wg-vgc4-3633: Insufficient validation of address mapping to IO in ASP (AMD Secure Processor) may result in a loss of memory integrity in the SNP guest2023-01-11
CVEList
CVE-2021-26396: Insufficient validation of address mapping to IO in ASP (AMD Secure Processor) may result in a loss of memory integrity in the SNP guest2023-01-10
CVE-2021-26396 — AMD Epyc 7003 Firmware vulnerability | cvebase