CVE-2024-36354 - Vulnerability Details

Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to bypass SMM isolation potentially resulting in arbitrary code execution at the SMM level.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Amd	Athlon Athlon 3000 Epyc Epyc 4004 Epyc 7001 Epyc 7002 Epyc 7003 Epyc 8004 Epyc 9004 Epyc Embedded 3000 Epyc Embedded 7002

No data.

References

Link	Providers
https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3014.html
https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4012.html
https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-5007.html

History

Mon, 08 Sep 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amd Amd athlon Amd athlon 3000 Amd epyc Amd epyc 4004 Amd epyc 7001 Amd epyc 7002 Amd epyc 7003 Amd epyc 8004 Amd epyc 9004 Amd epyc Embedded 3000 Amd epyc Embedded 7002
Vendors & Products		Amd Amd athlon Amd athlon 3000 Amd epyc Amd epyc 4004 Amd epyc 7001 Amd epyc 7002 Amd epyc 7003 Amd epyc 8004 Amd epyc 9004 Amd epyc Embedded 3000 Amd epyc Embedded 7002

Mon, 08 Sep 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sat, 06 Sep 2025 18:15:00 +0000

Type	Values Removed	Values Added
Description		Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to bypass SMM isolation potentially resulting in arbitrary code execution at the SMM level.
Weaknesses		CWE-20
References		https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3014.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4012.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-5007.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: AMD

Published: 2025-09-06T18:06:43.084Z

Updated: 2025-09-09T03:55:24.891Z

Reserved: 2024-05-23T19:44:50.000Z

Link: CVE-2024-36354

Vulnrichment

Updated: 2025-09-08T14:36:03.042Z

NVD

Status : Awaiting Analysis

Published: 2025-09-06T18:15:40.297

Modified: 2025-09-08T16:25:38.810

Link: CVE-2024-36354

Redhat

No data.

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object