CVE-2024-36354
BaseFortify
Publication date: 2025-09-06
Last updated on: 2025-09-23
Assigner: Advanced Micro Devices Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amd | ryzen | 4000 |
| amd | epyc_embedded | 7003 |
| amd | ryzen_embedded | 8000 |
| amd | epyc | 7001 |
| amd | pro | 5000wx |
| amd | ryzen | 2000 |
| amd | ryzen_embedded | 7000 |
| amd | client_processor | * |
| amd | epyc_embedded | 7002 |
| amd | epyc | 9004 |
| amd | ryzen | 6000 |
| amd | ryzen | 5000 |
| amd | ryzen | 8000 |
| amd | epyc | 7003 |
| amd | pro | 7000 |
| amd | pro | 3000wx |
| amd | ryzen_embedded | 5000 |
| amd | epyc_embedded | 3000 |
| amd | epyc | 7002 |
| amd | epyc_embedded | 900 |
| amd | ryzen_embedded | r2000 |
| amd | ryzen_threadripper | 3000 |
| amd | epyc | 4004 |
| amd | ryzen_embedded | v3000 |
| amd | athlon | 3000 |
| amd | ryzen_embedded | r1000 |
| amd | ryzen | 7000 |
| amd | ryzen_embedded | v2000 |
| amd | epyc | 8004 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1231 | The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves improper input validation of DIMM serial presence detect (SPD) metadata. An attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update could exploit this flaw to bypass System Management Mode (SMM) isolation. This could potentially allow the attacker to execute arbitrary code at the SMM level.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute arbitrary code at the SMM level, which is a highly privileged mode in the system. This could lead to complete system compromise, including unauthorized control over system operations, data breaches, and potentially persistent malware that is difficult to detect or remove.