Description
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing arbitrary message input, potentially leading to a loss of data integrity.
Published: 2026-06-26
Score: 1.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an observable timing discrepancy in the AMD Secure Processor (ASP), allowing a privileged attacker to perform brute‑force attacks against the hash message authentication code. By exploiting this timing leakage, an attacker can inject arbitrary message inputs, resulting in compromised data integrity without affecting confidentiality or availability.

Affected Systems

The flaw affects AMD Ryzen 3000, 5000, Threadripper 3000, Threadripper PRO 3000WX, and Threadripper PRO 5000 WX series desktop processors.

Risk and Exploitability

The CVSS score of 1.8 classifies this issue as low severity; the EPSS score is not provided, and it is not listed in CISA’s KEV catalog. The attack requires privileged access to the ASP, making exploitation of this weakness unlikely on a typical system. As the impact is limited to data integrity, the overall risk to most environments is considered minimal, though high‑value targets with privileged ASP access should consider monitoring.

Generated by OpenCVE AI on June 26, 2026 at 17:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check AMD’s security bulletins for firmware or microcode updates that address the ASP timing discrepancy.
  • Apply any available microcode or BIOS firmware updates to the affected processors once released.
  • Restrict privileged access to the AMD Secure Processor and monitor for any anomalous authentication requests.

Generated by OpenCVE AI on June 26, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing arbitrary message input, potentially leading to a loss of data integrity.
Weaknesses CWE-208
References
Metrics cvssV4_0

{'score': 1.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: AMD

Published:

Updated: 2026-06-26T16:00:59.349Z

Reserved: 2022-10-27T18:53:39.742Z

Link: CVE-2023-20540

cve-icon Vulnrichment

Updated: 2026-06-26T16:00:53.648Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:45:03Z

Weaknesses
  • CWE-208

    Observable Timing Discrepancy