5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
26.8%
Bulletin ID: AMD-SB-1003 **Potential Impact:**Data Leakage **Severity:**Medium
AMD is aware of research from the VUsec group at Vrije Universiteit Amsterdam and believes that these issues are only exploitable in conjunction with software vulnerabilities related to incorrect speculation of specific sequences as described below. AMD is not currently aware of any instances of such vulnerabilities in commercially available software.
CVE-2021-26313
Potential speculative code store bypass in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution of overwritten instructions, may cause an incorrect speculation and could result in data leakage.
CVE-2021-26314
Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage.
All Currently supported CPU Products in conjunction with software vulnerabilities relating to speculative execution as indicated above.
While overwritten instruction sequences should not be architecturally executed, they may be speculatively executed. AMD recommends that software vendors analyze their code for any potential vulnerabilities relating to speculative execution of overwritten instructions (CVE-2021-26313). AMD recommends that software vendors analyze their code for any potential vulnerabilities relating to speculative execution with incorrect floating point results (CVE-2021-26314).
Potential software vulnerabilities can be mitigated by inserting a LFENCE between the overwriting of the instructions and the execution of the overwritten instructions.1
For additional information on speculation in AMD processors, see our paper2
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
26.8%