The vulnerability arises from incorrect default permissions on the installation directory of AMD's general‑purpose input/output controller (GPIO). An attacker who gains access to that directory can modify or replace files, enabling them to execute arbitrary code with elevated privileges. This flaw satisfies CWE‑276, indicating a weakness in access control that permits unauthorised file manipulation. As the attacker must be able to reach the GPIO driver installation path, the impact is primarily local – any user with write access to that directory can raise their own privileges or compromise system security.

AMD processors and chipsets across a wide range of AMD offerings, including Athlon, EPYC, Ryzen, Ryzen Threadripper, Ryzen Embedded and Ryzen AI series. The affected hardware spans desktop, mobile, server, embedded, and AI accelerator product lines. No specific firmware version numbers are listed, so all variants using the current GPIO installation directory layout are potentially vulnerable unless a firmware update has corrected the permissions.

The CVSS score of 7 indicates a medium severity vulnerability. No EPSS score is reported, so the publicly known exploitation likelihood remains uncertain. The flaw is not listed in the CISA KEV catalog, suggesting no known active exploit but also no assurance against potential attacks. The required condition is that the attacker can write to the installation directory, which typically requires some local foothold or misconfiguration granting write permissions. Mitigation through a firmware update that restores correct ownership and mode of the directory significantly reduces the risk.