CVE-2024-21924

High

Published: 11 February 2025

Published

11 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0004 13.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

SMM callout vulnerability within the AmdPlatformRasSspSmm driver could allow a ring 0 attacker to modify boot services handlers, potentially resulting in arbitrary code execution.

Security Summary

CVE-2024-21924 is an SMM callout vulnerability in the AmdPlatformRasSspSmm driver on affected AMD platforms. Published on 2025-02-11, the flaw allows a ring 0 attacker to modify boot services handlers, potentially resulting in arbitrary code execution. It carries a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-250.

Exploitation requires local access (AV:L) with low complexity (AC:L) and high privileges (PR:H), such as ring 0 kernel-level access, and no user interaction (UI:N). A successful attack leverages the vulnerability's high scope change (S:C) to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) through arbitrary code execution.

AMD's security bulletin at https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7028.html provides details on mitigation, including available patches and remediation guidance for affected systems.

Details

CWE(s): CWE-250

References

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7028.html
psirt@amd.com