CVE-2021-46792Time-of-check Time-of-use (TOCTOU) Race Condition in AMD Athlon 3000 Series Mobile Processors With Radeon Graphics Dali Dali ULP

CWE-367Time-of-check Time-of-use (TOCTOU) Race Condition3 documents3 sources
Severity
5.9MEDIUMNVD
EPSS
0.2%
top 62.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
62
AMD Athlon 3000 Series Mobile Processors With Radeon Graphics Dali Dali ULPAMD Ryzen 2000 Series Desktop Processors Raven Ridge AM4AMD Ryzen 2000 Series Mobile Processors Raven Ridge FP5+59 more
Timeline
PublishedMay 9

Description

Time-of-check Time-of-use (TOCTOU) in the BIOS2PSP command may allow an attacker with a malicious BIOS to create a race condition causing the ASP bootloader to perform out-of-bounds SRAM reads upon an S3 resume event potentially leading to a denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages62 packages

NVDamd/ryzen_1200_firmwarepinnaclepi-am4_1.0.0.7, raven-fp5-am4_1.0.0.9+1
NVDamd/ryzen_1600_firmwarepinnaclepi-am4_1.0.0.7, raven-fp5-am4_1.0.0.9+1
NVDamd/ryzen_2600_firmwarepinnaclepi-am4_1.0.0.7, raven-fp5-am4_1.0.0.9+1
NVDamd/ryzen_2700_firmwarepinnaclepi-am4_1.0.0.7, raven-fp5-am4_1.0.0.9+1
NVDamd/ryzen_3100_firmwarecomboam4v2_pi_1.2.0.5, picasso_pi-fp5_1.0.0.4, renoirpi-fp6_1.0.0.7+2

🔴Vulnerability Details

2
CVEList
CVE-2021-46792: Time-of-check Time-of-use (TOCTOU) in the BIOS2PSP command may allow an attacker with a malicious BIOS to create a race condition causing the ASP boot2023-05-09
GHSA
GHSA-38q7-2qqc-fvvr: Time-of-check Time-of-use (TOCTOU) in the BIOS2PSP command may allow an attacker with a malicious BIOS to create a race condition causing the ASP boot2023-05-09
CVE-2021-46792 — AMD vulnerability | cvebase