CVE-2024-21925

High

Published: 11 February 2025

Published

11 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0007 20.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper input validation within the AmdPspP2CmboxV2 driver may allow a privileged attacker to overwrite SMRAM, leading to arbitrary code execution.

Security Summary

CVE-2024-21925 is an improper input validation vulnerability (CWE-20) in the AmdPspP2CmboxV2 driver on AMD platforms. Published on 2025-02-11, it enables a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution. The issue carries a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to local attack vector, low attack complexity, high privileges required, no user interaction, changed scope, and high impacts across confidentiality, integrity, and availability.

A local attacker possessing high-level privileges can exploit this vulnerability by sending malformed input to the AmdPspP2CmboxV2 driver. This allows overwriting of SMRAM contents, granting the ability to execute arbitrary code at the highest privilege levels, potentially compromising the entire system.

AMD has addressed this issue in Security Bulletin AMD-SB-7027, available at https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7027.html, which provides details on affected products and recommended mitigations or patches.

Details

CWE(s): CWE-20

References

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7027.html
psirt@amd.com