Description
Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to potentially overwrite guest memory resulting in loss of guest data integrity.
Published: 2026-06-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An AMD EPYC processor can read SPD metadata from DIMMs to detect serial presence. The validation routine fails to properly check the data format, letting a malicious value reach a write path that targets guest memory. An attacker can cause corruption or loss of data in the memory space of a virtual machine, potentially undermining the integrity of guest workloads.

Affected Systems

Manufactured in the AMD EPYC 7003 and 9004 processor families, systems that use non‑compliant or tampered DIMMs are susceptible. The vulnerability exploits the SPD handling code in the CPU firmware and does not depend on the guest OS or hypervisor.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The exploit requires either physical access, privileged ring‑0 execution, or manipulation of the Root of Trust for BIOS update, all of which are high privilege states. EPSS is unavailable, so the likelihood of public exploitation is unknown, and the issue is not currently listed in CISA KEV. An attacker with the necessary access could overwrite guest memory and compromise data integrity; however, casual or remote attackers are unlikely to succeed without the elevated privileges noted.

Generated by OpenCVE AI on June 10, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace or remove DIMMs that do not comply with AMD SPD specifications.
  • Restrict physical access to the chassis and enforce strict server rack security.
  • Update BIOS/firmware to the latest vendor release that validates SPD data correctly; monitor vendor advisories for a formal fix.

Generated by OpenCVE AI on June 10, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Amd
Amd epyc 7003 Series Processors
Amd epyc 9004 Series Processors
Vendors & Products Amd
Amd epyc 7003 Series Processors
Amd epyc 9004 Series Processors

Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title DIMM SPD Metadata Validation Error Allows Guest Memory Overwrite

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to potentially overwrite guest memory resulting in loss of guest data integrity.
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Amd Epyc 7003 Series Processors Epyc 9004 Series Processors
cve-icon MITRE

Status: PUBLISHED

Assigner: AMD

Published:

Updated: 2026-06-11T13:28:14.229Z

Reserved: 2024-01-03T16:43:21.322Z

Link: CVE-2024-21944

cve-icon Vulnrichment

Updated: 2026-06-11T13:28:10.713Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T23:16:44.950

Modified: 2026-06-11T14:43:18.997

Link: CVE-2024-21944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:30:11Z

Weaknesses
  • CWE-20

    Improper Input Validation