CVE-2021-46754

CWE-20 — Improper Input Validation3 documents3 sources

Severity

9.1CRITICAL

EPSS

0.2%

top 61.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

AMD AMD Ryzen™ Embedded R1000 AMD AMD Ryzen™ Embedded R2000 AMD AMD Ryzen™ Embedded V1000 +65 more

Timeline

PublishedMay 9

Description

Insufficient input validation in the ASP (AMD Secure Processor) bootloader may allow an attacker with a compromised Uapp or ABL to coerce the bootloader into exposing sensitive information to the SMU (System Management Unit) resulting in a potential loss of confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages68 packages

▶CVEListV5amd/ryzen™_2000_series_mobile_processors_“raven_ridge”_fp5various

▶CVEListV5amd/ryzen™_2000_series_desktop_processors_“raven_ridge”_am4various

▶CVEListV5amd/ryzen™_3000_series_mobile_processors_with_radeon™_graphics_“renoir”various

▶CVEListV5amd/ryzen™_5000_series_mobile_processors_with_radeon™_graphics_“cezanne”various

▶CVEListV5amd/athlon™_3000_series_mobile_processors_with_radeon™_graphics_“pollock”various

🔴Vulnerability Details

CVEList

CVE-2021-46754: Insufficient input validation in the ASP (AMD Secure Processor) bootloader may allow an attacker with a compromised Uapp or ABL to coerce the bootload↗2023-05-09

▶

GHSA

GHSA-gqvv-8rrx-g836: Insufficient input validation in the ASP (AMD Secure Processor) bootloader may allow an attacker with a compromised Uapp or ABL to coerce the bootload↗2023-05-09

▶