CVE-2025-48517 — Insufficient Granularity of Access Control in Amd64-microcode

CWE-1220 — Insufficient Granularity of Access Control5 documents5 sources

Severity

4.6MEDIUMNVD

EPSS

0.0%

top 95.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Amd64-microcode

Timeline

PublishedFeb 10

Description

Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an ASID in the range meant for SEV-SNP guests potentially resulting in a partial loss of confidentiality.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages1 packages

▶debiandebian/amd64-microcode

🔴Vulnerability Details

OSV

CVE-2025-48517: Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an↗2026-02-10

▶

GHSA

GHSA-jhpq-g463-wv89: Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an↗2026-02-10

▶

📋Vendor Advisories

Debian

CVE-2025-48517: amd64-microcode - Insufficient Granularity of Access Control in SEV firmware could allow a privile...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-48517 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶