Description
Improper input validation in the AMD OverDrive (AOD) System Management Mode (SMM) module could allow a privileged attacker to perform an out-of-bounds read, potentially resulting in loss of confidentiality.
Published: 2026-05-15
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper input validation flaw in the AMD OverDrive (AOD) System Management Mode (SMM) module allows a privileged attacker to read memory beyond the intended bounds. The vulnerability could expose sensitive data stored in those memory regions, but it does not enable code execution or denial of service. The flaw is rated with a CVSS score of 4.6, reflecting a moderate impact for confidentiality only.

Affected Systems

Affected products include AMD EPYC 4004 and 4005 processors, all variants of the AMD Ryzen 6000‑ through 9000‑Series Desktop and Mobile processors, associated Radeon graphics chips, the Ryzen Threadripper and Threadripper PRO 7000 lines, the Ryzen AI 300 Series, the Ryzen Embedded 7000‑ through 9000‑Series, and the Ryzen Embedded V3000 Series. No specific firmware or BIOS version is indicated in the advisory, so all releases of these processors that include the AOD SMM module are potentially impacted.

Risk and Exploitability

The vulnerability is accessible only to a privileged intruder with write access to the SMM environment, which typically requires either physical access or root/administrator privileges. The CVSS base score of 4.6 indicates low to moderate severity, and the EPSS score is not available, suggesting limited publicly known exploitation attempts. The issue is not listed in the CISA KEV catalogue. The attack vector is, therefore, the local privileged domain, and the risk to systems remains limited unless an attacker can elevate privileges to the SMM level.

Generated by OpenCVE AI on May 15, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for the latest AMD BIOS or firmware updates that address the AMD SB‑3030 and SB‑4017 advisories and apply them as soon as they become available.
  • If no update is immediately available, disable the AMD OverDrive (AOD) feature or SMM mode through the system BIOS/UEFI settings to eliminate the vulnerable execution path.
  • Ensure that only trusted users have privileged access to the system and restrict physical access to the hardware to prevent local privilege escalation.

Generated by OpenCVE AI on May 15, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 03:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in AMD OverDrive SMM Module

Fri, 15 May 2026 02:00:00 +0000

Type Values Removed Values Added
Description Improper input validation in the AMD OverDrive (AOD) System Management Mode (SMM) module could allow a privileged attacker to perform an out-of-bounds read, potentially resulting in loss of confidentiality.
Weaknesses CWE-1274
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: AMD

Published:

Updated: 2026-05-15T13:29:37.501Z

Reserved: 2024-05-23T19:44:47.200Z

Link: CVE-2024-36345

cve-icon Vulnrichment

Updated: 2026-05-15T13:29:32.406Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-15T02:16:20.773

Modified: 2026-05-15T14:10:17.083

Link: CVE-2024-36345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T03:30:35Z

Weaknesses