CVE-2023-31342

High

Published: 11 February 2025

Published

11 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0003 10.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.

Security Summary

CVE-2023-31342 involves improper input validation in the SMM handler, which may allow a privileged attacker to overwrite SMRAM and potentially achieve arbitrary code execution. This vulnerability, associated with CWE-1220, affects AMD systems and was published on 2025-02-11 with a CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

A local attacker with high privileges can exploit this issue through a high-complexity attack that requires no user interaction. Exploitation enables overwriting of SMRAM, leading to arbitrary code execution with high impacts on confidentiality, integrity, and availability, along with a change in scope.

AMD has addressed this vulnerability in Security Bulletins SB-3009, SB-4008, and SB-5004, which provide details on mitigations and patches.

Details

CWE(s): CWE-1220

References

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3009.html
psirt@amd.com
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4008.html
psirt@amd.com
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-5004.html
psirt@amd.com