Back to Security Bulletins and Briefs

AMD Graphics Driver Vulnerabilities – August 2024 

AMD ID:  AMD-SB-6005
Potential Impact: Varies by CVE, see descriptions below
Severity: Varies by CVE, see descriptions below

Summary

AMD received reports of vulnerabilities potentially affecting some AMD Graphics products.  Refer to the CVE Details section for information about each CVE.

CVE Details

Refer to Glossary for explanation of terms

CVE

CVSS 3.1 Base Score

CVE Description

CVE-2021-26367

 5.7 (Medium)
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

A malicious attacker in x86 can misconfigure the Trusted Memory Regions (TMRs), which may allow the attacker to set an arbitrary address range for the TMR, potentially leading to a loss of integrity and availability.

CVE-2023-20509

5.2 (Medium)
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L

An insufficient DRAM address validation in PMFW may allow a privileged attacker to perform a DMA read from an invalid DRAM address to SRAM, potentially resulting in loss of data integrity.

CVE-2023-31310

5.0 (Medium)
AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

 Improper input validation in Power Management Firmware (PMFW) may allow an attacker with privileges to send a malformed input for the "set temperature input selection" command, potentially resulting in a loss of integrity and/or availability.

CVE-2023-20510

4.7 (Medium)
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H

An insufficient DRAM address validation in PMFW may allow a privileged attacker to read from an invalid DRAM address to SRAM, potentially resulting in data corruption or denial of service.

CVE-2023-20513

3.4 (Low)
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

An insufficient bounds check in PMFW (Power Management Firmware) may allow an attacker to utilize a malicious VF (virtualization function) to send a malformed message, potentially resulting in a denial of service.

CVE-2023-31304

2.3 (Low)
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Improper input validation in SMU may allow an attacker with privileges and a compromised physical function (PF) to modify the PCIe® lane count and speed, potentially leading to a loss of availability.

CVE-2023-31307

2.3 (Low)
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Improper validation of array index in Power Management Firmware (PMFW) may allow a privileged attacker to cause an out-of-bounds memory read within PMFW, potentially leading to a denial of service.

CVE-2023-20512

1.9 (Low)
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

A hardcoded AES key in PMFW may result in a privileged attacker gaining access to the key, potentially resulting in internal debug information leakage.

CVE-2023-31305

1.9 (Low)
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Generation of weak and predictable Initialization Vector (IV) in PMFW (Power Management Firmware) may allow an attacker with privileges to reuse IV values to reverse-engineer debug data, potentially resulting in information disclosure.

Affected Products and Mitigation

AMD recommends updating to the AMD graphics driver version (or later) indicated below. 

Graphics Cards

Applicable CVE(s)

CVSS Score

AMD Radeon™ RX 6000 Series Graphics Cards

AMD Radeon™ PRO W6000 Series Graphics Cards

AMD Radeon™ RX 7000 Series Graphics Cards

AMD Radeon™ PRO W7000 Series Graphics Cards

CVE-2021-26367

5.7 (Medium)

 AMD Software: Adrenalin Edition 23.12.1 (23.30.13.01)

AMD Software: PRO Edition 23.Q4
(23.30.13.03)

Not affected

 Not affected

CVE-2023-31310

5.0 (Medium)

CVE-2023-20510

4.7 (Medium)

CVE-2023-20513

3.4 (Low)

CVE-2023-31304

2.3 (Low)

CVE-2023-31307

2.3 (Low)

CVE-2023-20512

1.9 (Low)

CVE-2023-31305

1.9 (Low)

CVE-2023-20509

5.2 (Medium)

 AMD Software: Adrenalin Edition 23.12.1 (23.30.13.01) AMD Software: PRO Edition 23.Q4
(23.30.13.03)		 AMD Software: Adrenalin Edition 23.12.1
(23.30.13.01)		 AMD Software: PRO Edition 23.Q4
(23.30.13.03)
Data Center Graphics
Applicable CVE(s) CVSS Score AMD Radeon™ Instinct™ MI50 AMD Instinct™ MI100 AMD Instinct™ MI200 Series
CVE-2021-26367 5.7 (Medium) Target April 2025 Target April 2025 Not Affected
CVE-2023-20509 5.2 (Medium) Not Affected Not Affected ROCm 6.3.2
CVE-2023-31310 5.0 (Medium) Not Affected
CVE-2023-20510 4.7 (Medium)
CVE-2023-20513 3.4 (Low)
CVE-2023-31304 2.3 (Low)
CVE-2023-31307 2.3 (Low)
CVE-2023-20512 1.9 (Low)
CVE-2023-31305 1.9 (Low)

 

Applicable CVE(s) CVSS Score AMD Radeon™ Instinct™ MI25 AMD Radeon™ PRO V520 AMD Radeon™ PRO V620
CVE-2023-20509 5.2 (Medium) Not Affected Not Affected Contact your AMD Customer Engineering representative
CVE-2023-20513 3.4 (Low)
CVE-2023-31307 2.3 (Low)
CVE-2023-20512 1.9 (Low)
CVE-2023-31305 1.9 (Low)
CVE-2021-26367 5.7 (Medium) Contact your AMD Customer Engineering representative
CVE-2023-31310 5.0 (Medium)
CVE-2023-20510 4.7 (Medium)
CVE-2023-31304 2.3 (Low)

Acknowledgement

Internally found: CVE-2021-26367, CVE-2023-20509, CVE-2023-20510, CVE-2023-20512, CVE-2023-20513, CVE-2023-31304, CVE-2023-31305, CVE-2023-31307, CVE-2023-31310

Revisions 

Revision Date  

Description  

2025-02-17

Updated mitigation for Data Center Graphics

2024-11-21

Updated the status of CVE-2023-20510 for MI100 (Not Affected)
2024-10-17

Updated MI100 as “Not affected” for CVE-2023-31310

Updated MI25 as “Not affected” for CVE-2021-26367, CVE-2023-20510, CVE-2023-31304, CVE-2023-31307, CVE-2023-31310

2024-08-13

Initial publication  

DISCLAIMER

The information contained herein is for informational purposes only and is subject to change without notice. While every precaution has been taken in the preparation of this document, it may contain technical inaccuracies, omissions and typographical errors, and AMD is under no obligation to update or otherwise correct this information. Advanced Micro Devices, Inc. makes no representations or warranties with respect to the accuracy or completeness of the contents of this document, and assumes no liability of any kind, including the implied warranties of noninfringement, merchantability or fitness for particular purposes, with respect to the operation or use of AMD hardware, software or other products described herein. Any computer system has risks of security vulnerabilities that cannot be completely prevented or mitigated. No license, including implied or arising by estoppel, to any intellectual property rights is granted by this document. Terms and limitations applicable to the purchase or use of AMD’s products are as set forth in a signed agreement between the parties or in AMD's Standard Terms and Conditions of Sale.

AMD, the AMD Arrow logo, Instinct, Radeon and combinations thereof are trademarks of Advanced Micro Devices, Inc. CVE and the CVE logo are registered trademarks of The MITRE Corporation. PCIe is a registered trademark of PCI-SIG Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Other product names used in this publication are for identification purposes only and may be trademarks of their respective companies.

Third party content may be licensed to you directly by the third party that owns the content and is not licensed to you by AMD. ALL LINKED THIRD-PARTY CONTENT IS PROVIDED ‘AS IS’ WITHOUT A WARRANTY OF ANY KIND. USE OF SUCH THIRD-PARTY CONTENT IS DONE AT YOUR SOLE DISCRETION AND UNDER NO CIRCUMSTANCES WILL AMD BE LIABLE TO YOU FOR ANY THIRD-PARTY CONTENT. YOU ASSUME ALL RISK AND ARE SOLELY RESPONSIBILITY FOR ANY DAMAGES THAT MAY ARISE FROM YOUR USE OF THIRD-PARTY CONTENT.

© 2024 Advanced Micro Devices, Inc. All rights reserved.