CVE-2024-21944
Awaiting Analysis Awaiting Analysis - Queue

AMD DIMM SPD Metadata Validation Bypass

Vulnerability report for CVE-2024-21944, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Advanced Micro Devices Inc.

Description

Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to potentially overwrite guest memory resulting in loss of guest data integrity.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
amd 3rd_gen_epyc From 1.0 (inc)
amd 4th_gen_epyc From 1.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves improper input validation related to DIMM serial presence detect (SPD) metadata. An attacker who has physical access, ring0 (kernel-level) access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS updates could exploit this flaw.

By exploiting this vulnerability, the attacker could potentially overwrite guest memory, which means they could alter or corrupt data stored in the memory of virtual machines or guest systems.

This results in a loss of guest data integrity, meaning the data could be tampered with or become unreliable.

Impact Analysis

The primary impact of this vulnerability is the potential loss of guest data integrity due to memory overwrite attacks.

An attacker with the required access could corrupt or manipulate data in guest memory, which could lead to unreliable or compromised data within virtualized environments.

This could affect system stability and trustworthiness of the data processed or stored by affected systems.

Compliance Impact

CVE-2024-21944 involves a vulnerability that could allow an attacker to overwrite guest memory, resulting in loss of guest data integrity. This loss of data integrity could potentially impact compliance with standards and regulations such as GDPR and HIPAA, which require the protection of data integrity and confidentiality.

However, the provided information does not explicitly describe the direct effects of this vulnerability on compliance with these common standards and regulations.

Detection Guidance

The mitigation status of CVE-2024-21944 can be verified through guest attestation reports and platform status commands, which indicate whether the ALIAS_CHECK mitigation has been applied.

AMD recommends checking these reports and commands to confirm that the updated Platform Initialization (PI) firmware and SEV firmware versions are in place.

Mitigation Strategies

Immediate mitigation steps include updating the Platform Initialization (PI) firmware and SEV firmware (SEV FW) to versions that include the ALIAS_CHECK mitigation.

Additionally, AMD recommends using memory modules with locked SPD and following physical security best practices to prevent unauthorized physical access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-21944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart