CVE-2026-0438 - Vulnerability Details - OpenCVE

ReportizFlow

A System Management Mode (SMM) handler could perform a callout to code located in non-SMM/untrusted memory. A highly privileged attacker could, with active user interaction and under high complexity and present preconditions, trigger execution of attacker-controlled code in SMM, potentially compromising the system’s confidentiality, integrity, and availability.

Attack Vector Physical

Attack Complexity High

Privileges Required High

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3030.html
https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html

History

Fri, 15 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Title		SMM Callout Handler Enables Execution of Untrusted Code

Fri, 15 May 2026 02:00:00 +0000

Type	Values Removed	Values Added
Description		A System Management Mode (SMM) handler could perform a callout to code located in non-SMM/untrusted memory. A highly privileged attacker could, with active user interaction and under high complexity and present preconditions, trigger execution of attacker-controlled code in SMM, potentially compromising the system’s confidentiality, integrity, and availability.
Weaknesses		CWE-1072
References		https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3030.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html
Metrics		cvssV4_0 `{'score': 5.4, 'vector': 'CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: AMD

Published: 2026-05-15T01:41:25.568Z

Updated: 2026-05-15T01:42:03.356Z

Reserved: 2025-12-06T13:53:51.228Z

Link: CVE-2026-0438

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-15T02:16:23.637

Modified: 2026-05-15T02:16:23.637

Link: CVE-2026-0438

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0438", "assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648", "state": "PUBLISHED", "assignerShortName": "AMD", "dateReserved": "2025-12-06T13:53:51.228Z", "datePublished": "2026-05-15T01:41:25.568Z", "dateUpdated": "2026-05-15T01:42:03.356Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648", "shortName": "AMD", "dateUpdated": "2026-05-15T01:42:03.356Z"}, "datePublic": "2026-05-15T01:40:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1072", "description": "CWE-1072 Call to Function Pointer from Untrusted Control Sphere in SMM", "type": "CWE"}]}], "affected": [{"vendor": "AMD", "product": "AMD Ryzen\u2122 7040 Series Mobile Processors with Radeon\u2122 Graphics", "versions": [{"status": "unaffected", "version": "PhoenixPI-FP8-FP7_1.2.0.0f"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 7045 Series Mobile Processors with Radeon\u2122 Graphics", "versions": [{"status": "unaffected", "version": "DragonRangeFL1PI 1.0.0.3k"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 7000 Series Desktop Processors", "versions": [{"status": "unaffected", "version": "ComboAM5PI 1.0.0.d"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 9000HX Series Processors", "versions": [{"status": "unaffected", "version": "FireRangeFL1PI 1.0.0.0d"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 AI 300 Series Processors", "versions": [{"status": "unaffected", "version": "StrixKrackanPI-FP8_1.1.0.0e"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 7000 WX-Series Processors", "versions": [{"status": "unaffected", "version": "StormPeakPI-SP6 1.0.0.1m"}, {"status": "unaffected", "version": "StormPeakPI-SP6_1.1.0.0k"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 7000 Series Desktop Processors", "versions": [{"status": "unaffected", "version": "ComboAM5PI 1.1.0.3f"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 7000 Series Desktop Processors", "versions": [{"status": "unaffected", "version": "ComboAM5PI_1.2.0.3i"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 8000 Series Desktop Processors", "versions": [{"status": "unaffected", "version": "ComboAM5PI 1.1.0.3f"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 8000 Series Desktop Processors", "versions": [{"status": "unaffected", "version": "ComboAM5PI_1.2.0.3i"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 9000 Series Desktop Processors", "versions": [{"status": "unaffected", "version": "ComboAM5PI_1.2.0.3i"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 8040 Series Mobile Processors with Radeon\u2122 Graphics", "versions": [{"status": "unaffected", "version": "PhoenixPI-FP8-FP7_1.2.0.0f"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 AI Max 300 Series Processors", "versions": [{"status": "unaffected", "version": "StrixHaloPI-FP11_1.0.0.2a"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Z1 Series Processors", "versions": [{"status": "unaffected", "version": "PhoenixPI-FP8-FP7_1.2.0.0f"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Z1 Series Processors", "versions": [{"status": "unaffected", "version": "PhoenixPI-FP8-FP7_1.2.0.0f"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Z2 Series Processors Extreme", "versions": [{"status": "unaffected", "version": "StrixKrackanPI-FP8_1.1.0.2d"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Z2 Series Processors", "versions": [{"status": "unaffected", "version": "PhoenixPI-FP8-FP7_1.2.0.0f"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 7000 WX-Series Processors", "versions": [{"status": "unaffected", "version": "ShimadaPeakPI-SP6 1.0.0.1c"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Threadripper\u2122 7000 Processors", "versions": [{"status": "unaffected", "version": "ShimadaPeakPI-SP6 1.0.0.1c"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "Not public", "versions": [{"status": "unaffected", "version": "StrixKrackanPI-FP8_1.1.0.2d"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Threadripper\u2122 9000 Processors", "versions": [{"status": "unaffected", "version": "ShimadaPeakPI-SP6 1.0.0.1c"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 9000 WX-Series Processors", "versions": [{"status": "unaffected", "version": "ShimadaPeakPI-SP6 1.0.0.1c"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 7000 Series Desktop Processors (formerly codenamed \"Raphael\")", "versions": [{"status": "unaffected", "version": "ComboAM5PI_1.3.0.0"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 8000 Series Desktop Processors (formerly codenamed \"Phoenix\")", "versions": [{"status": "unaffected", "version": "ComboAM5PI_1.3.0.0"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 9000 Series Desktop Processors (formerly codenamed \"Granite Ridge\")", "versions": [{"status": "unaffected", "version": "ComboAM5PI_1.3.0.0"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Embedded 9000 Series Processors", "versions": [{"status": "unaffected", "version": "EmbeddedAM5PI 1.0.0.5"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Embedded 8000 Series Processors", "versions": [{"status": "unaffected", "version": "EmbeddedPhoenixPI-FP7r2_1.0.0.4"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD Ryzen\u2122 Embedded 7000 Series Processors", "versions": [{"status": "unaffected", "version": "EmbeddedAM5PI 1.0.0.5"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD EPYC\u2122 4004 Series Processors", "versions": [{"status": "unaffected", "version": "ComboAM5PI 1.0.0.d / ComboAM5PI 1.1.0.3f / ComboAM5PI_1.2.0.3i"}], "defaultStatus": "affected"}, {"vendor": "AMD", "product": "AMD EPYC\u2122 4005 Series Processors", "versions": [{"status": "unaffected", "version": "ComboAM5PI_1.2.0.3i"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "A System Management Mode (SMM) handler could perform a callout to code located in non-SMM/untrusted memory. A highly privileged attacker could, with active user interaction and under high complexity and present preconditions, trigger execution of attacker-controlled code in SMM, potentially compromising the system\u2019s confidentiality, integrity, and availability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A System Management Mode (SMM) handler could perform a callout to code located in non-SMM/untrusted memory. A highly privileged attacker could, with active user interaction and under high complexity and present preconditions, trigger execution of attacker-controlled code in SMM, potentially compromising the system\u2019s confidentiality, integrity, and availability.<br>"}]}], "references": [{"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3030.html"}, {"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "PHYSICAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "AMD PSIRT Automation 1.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A System Management Mode (SMM) handler could perform a callout to code located in non-SMM/untrusted memory. A highly privileged attacker could, with active user interaction and under high complexity and present preconditions, trigger execution of attacker-controlled code in SMM, potentially compromising the system\u2019s confidentiality, integrity, and availability."}], "id": "CVE-2026-0438", "lastModified": "2026-05-15T02:16:23.637", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-05-15T02:16:23.637", "references": [{"source": "[email protected]", "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3030.html"}, {"source": "[email protected]", "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1072"}], "source": "[email protected]", "type": "Secondary"}]}