CVE-2023-31345

High

Published: 12 February 2025

Published

12 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0003 10.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.

Security Summary

CVE-2023-31345 involves improper input validation in the SMM handler, which may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution. This vulnerability, associated with CWE-1274, affects AMD platforms, as documented in multiple AMD security bulletins.

Exploitation requires local access (AV:L), high attack complexity (AC:H), and high privileges (PR:H), with no user interaction (UI:N). A successful attack can achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within a changed scope (S:C), yielding a CVSS v3.1 base score of 7.5.

AMD has published security bulletins, including AMD-SB-3009, AMD-SB-4008, and AMD-SB-5004, which detail mitigations and patches to address this issue. The vulnerability was published on 2025-02-12.

Details

CWE(s): CWE-1274

References

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3009.html
psirt@amd.com
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4008.html
psirt@amd.com
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-5004.html
psirt@amd.com