Improper input validation in the AMD Secure Processor (ASP) PCI driver can cause a buffer overflow when processed data exceeds the expected bounds. This overflow may trigger an abnormal termination of the driver, leading to a system crash or denial of service. The flaw is a classic out‑of‑bounds write vulnerability (CWE-120) and is exploitable only by a user with local privileges on the affected system.

The vulnerability affects multiple AMD processor families, including EPYC 4004–4005, embedded 4004, 4005, 8004 and 9005 series, and a broad range of Ryzen processors across mobile, desktop, embedded, Threadripper, and PRO lines such as 2000 Mobile, 3000 Desktop, 5000 and 7000 series, the 7045 Mobile, 9000 Desktop, 9000HX, AI 300 and AI Max 300 series, as well as the Ryzen Embedded 7000, 8000, 9000, R1000, R2000, V1000, V2000, Z1 and Z2 series. All of these processors rely on the ASP PCI driver and are susceptible when the specific firmware or driver version includes the unvalidated input handling.

The CVSS score of 6.9 indicates a moderate severity, and while the EPSS score is not available, the lack of a record in CISA’s KEV catalog suggests no publicly known exploits currently exist. However, the condition requires local access and the ability to interact with the ASP driver, meaning that an attacker who gains local user privileges or can execute code on the system can execute the overflow to crash or disable the driver and cause a denial of service. In the absence of network exposure, the primary risk is for internal threats or compromised systems where local privileges are obtained.