CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
9.0%
Bulletin ID: AMD-SB-4007 **Potential Impact:**Data Leakage **Severity:**Medium
Potential memory leak vulnerabilities in AMD Driver Execution Environment (DXE) driver.
Refer to Glossary for explanation of terms
CVE | Severity | Description |
---|---|---|
CVE-2023-20594 | Medium | Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access. |
CVE-2023-20597 | Medium | Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access. |
The Platform Initialization (PI) firmware versions listed below have been released to the Original Equipment Manufacturers (OEM) as a mitigation for these issues. Please refer to your OEM for the BIOS update specific to your product.
June 2024 Update:
After additional analysis, AMD believes that the Client AGESA⢠firmware versions previously provided did not sufficiently mitigate CVE-2023-20594. This security bulletin has been updated with new Client AGESA⢠firmware versions that contain updated mitigations.
AMD has also updated the status of affected products. Refer to the mitigation section below.
DATA CENTER
CVE | 1st Gen AMD EPYC⢠Processors | 2nd Gen AMD EPYC⢠Processors | 3rd Gen AMD EPYC⢠Processors | 4th Gen AMD EPYC⢠Processors |
---|---|---|---|---|
Minimum firmware versions to mitigate all applicable CVEs | N/A | N/A | MilanPI 1.0.0.A | |
(2022-10-28) | N/A | |||
CVE-2023-20594 | Not affected | Not affected | Not affected | Not affected |
CVE-2023-20597 | Not affected | Not affected | MilanPI 1.0.0.A | |
(2022-10-28) | Not affected |
EMBEDDED PROCESSORS
CVE | AMD EPYC⢠Embedded 3000 | AMD EPYC⢠Embedded 7002 | AMD EPYC⢠Embedded 7003 | AMD EPYC⢠Embedded 9003 |
---|---|---|---|---|
Minimum firmware versions to mitigate all applicable CVEs | N/A | N/A | EmbMilanPI-SP3 1.0.0.6 | |
(2022-12-12) | N/A | |||
CVE-2023-20594 | Not affected | Not affected | Not affected | Not affected |
CVE-2023-20597 | Not affected | Not affected | EmbMilanPI-SP3 1.0.0.6 | |
(2022-12-12) | Not affected |
CVE | AMD RYZEN⢠Embedded R1000 | AMD RYZEN⢠Embedded R2000 | AMD RYZEN⢠Embedded 5000 | AMD RYZEN⢠Embedded 7000 |
---|---|---|---|---|
Minimum firmware versions to mitigate all applicable CVEs | TBD | TBD | EmbAM4PI 1.0.0.2 | |
(2022-10-31) | EmbeddedAM5PI 1.0.0.1 | |||
(Target June 2024) | ||||
CVE-2023-20594 | EmbeddedPI-FP5 1.2.0.C | |||
(Target June 2024) | EmbeddedPI-FP5 1.2.0.C | |||
(Target June 2024) | Not affected | EmbeddedAM5PI 1.0.0.1 | ||
(Target June 2024) | ||||
CVE-2023-20597 | Not affected | Not affected | EmbAM4PI 1.0.0.2 | |
(2022-10-31) |
CVE | AMD Ryzenâ˘Embedded V1000 | AMD RYZEN⢠Embedded v2000 | AMD RYZEN⢠Embedded V3000 |
---|---|---|---|
All V1000 OPNs excluding YE1500C4T4MFH | YE1500C4T4MFH | ||
Minimum firmware versions to mitigate all applicable CVEs | N/A | EmbeddedPI-FP6 1.0.0.9 | |
(2024-04-15) | Embedded-PI FP7r2 1.0.1.0 | ||
(Target Sept 2024) | |||
CVE-2023-20594 | Fix not planned | EmbeddedPI-FP6 1.0.0.9 | |
(2024-04-15) | Embedded-PI_FP7r2 1.0.1.0 | ||
(Target Sept 2024) | |||
CVE-2023-20597 | Not affected | EmbeddedPI-FP6 1.0.0.8 | |
(2023-07-31) | EmbeddedPI-FP7r2 1.0.0.4 | ||
(2023-04-28) |
DESKTOP
CVE | AMD Ryzen⢠3000 Series Desktop Processors (Formerly codenamed) âMatisseâ | AMD Ryzen⢠5000 Series Desktop Processors (Formerly codenamed) âVermeerâ | AMD Ryzen⢠5000 Series Desktop processor with Radeon⢠Graphics (Formerly codenamed) âCezanneâ | AMD Ryzen⢠7000 Series Desktop Processors (Formerly codenamed) âRaphaelâ X3D | AMD Athlon⢠3000 Series Desktop Processors with Radeon⢠Graphics (Formerly codenamed) âPicassoâ AM4 |
---|---|---|---|---|---|
Minimum firmware versions to mitigate all applicable CVEs | ComboAM4PI 1.0.0.9 | ||||
(2022-07-13)ComboAM4v2PI 1.2.0.8 | |||||
(2022-07-29) | ComboAM4v2PI 1.2.0.8 | ||||
(2022-07-29) | ComboAM4v2PI 1.2.0.C | ||||
(2024-02-07) | ComboAM5 1.1.7.0 | ||||
(2024-04-27) | N/A | ||||
CVE-2023-20594 | Not affected | Not affected | ComboAM4v2PI 1.2.0.C | ||
(2024-02-07) | ComboAM5 1.1.7.0 | ||||
(2024-04-27) | Fix not planned | ||||
CVE-2023-20597 | ComboAM4PI 1.0.0.9 | ||||
(2022-07-13)ComboAM4v2PI 1.2.0.8 | |||||
(2022-07-29) | ComboAM4v2PI 1.2.0.8 | ||||
(2022-07-29) | ComboAM4v2PI 1.2.0.8 | ||||
(2022-07-29) | Not affected | Not affected |
CVE | AMD Ryzen⢠4000 Series Desktop Processors with Radeon⢠Graphics (Formerly codenamed) âRenoirâ AM4 | AMD Ryzen⢠8000 Series Processors with Radeon⢠Graphics (Formerly codenamed) âPhoenixâ AM5 |
---|---|---|
Minimum firmware versions to mitigate all applicable CVEs | ComboAM4v2PI 1.2.0.C | |
(2024-02-07) | ComboAM5 1.1.7.0 | |
(2024-04-27) | ||
CVE-2023-20594 | ComboAM4v2PI 1.2.0.C | |
(2024-02-07) | ComboAM5 1.1.7.0 | |
(2024-04-27) | ||
CVE-2023-20597 | ComboAM4v2PI 1.2.0.8 | |
(2022-07-29) | Not affected |
HIGH END DESKTOP (HEDT)
CVE | AMD Ryzen⢠Threadripper⢠3000 Series Processors (Formerly codenamed) âCastle Peakâ HEDT |
---|---|
Minimum firmware versions to mitigate all applicable CVEs | CastlePeakPI-SP3r3 1.0.0.8 |
(2022-12-01) | |
CVE-2023-20594 | Not affected |
CVE-2023-20597 | CastlePeakPI-SP3r3 1.0.0.8 |
(2022-12-01) |
WORKSTATION
CVE | AMD Ryzen⢠Threadripper⢠PRO Processors (Formerly codenamed) âCastle Peakâ WS SP3 | AMD Ryzen⢠Threadripper⢠PRO 3000WX Series Processors (Formerly codenamed) âChagallâ WS |
---|---|---|
Minimum firmware versions to mitigate all applicable CVEs | CastlePeakWSPI-sWRX8 1.0.0.A | |
(2022-11-23)ChagallWSPI-sWRX8 1.0.0.4 | ||
(2022-06-15) | ChagallWSPI-sWRX8 1.0.0.4 | |
(2022-06-15) | ||
CVE-2023-20594 | Not affected | Not affected |
CVE-2023-20597 | CastlePeakWSPI-sWRX8 1.0.0.A | |
(2022-11-23)ChagallWSPI-sWRX8 1.0.0.4 | ||
(2022-06-15) | ChagallWSPI-sWRX8 1.0.0.4 | |
(2022-06-15) |
MOBILE - AMD Athlon ⢠Series Processors
CVE | AMD Athlon⢠3000 Series Mobile Processors with Radeon⢠Graphics (Formerly codenamed) âDaliâ/âDaliâ ULP | AMD Athlon⢠3000 Series Mobile Processors with Radeon⢠Graphics (Formerly codenamed)âPollockâ |
---|---|---|
Minimum firmware versions to mitigate all applicable CVEs | PicassoPI-FP5 1.0.1.1 | |
(2024-03-08) | PollockPI-FT5 1.0.0.8 | |
(Target July 2024) | ||
CVE-2023-20594 | PicassoPI-FP5 1.0.1.1 | |
(2024-03-08) | PollockPI-FT5 1.0.0.8 | |
(Target July 2024) | ||
CVE-2023-20597 | Not affected | Not affected |
MOBILE â AMD Ryzen⢠Series Processors
CVE | AMD Ryzen⢠3000 Series Mobile Processor with Radeon⢠Graphics (Formerly codenamed) âPicassoâ FP5 | AMD Ryzen⢠4000 Series Mobile Processors with Radeon⢠Graphics (Formerly codenamed) âRenoirâ FP6 | AMD Ryzen⢠5000 Series Mobile Processors with Radeon⢠Graphics (Formerly codenamed) âLucienneâ | AMD Ryzen⢠5000 Series Mobile Processors with Radeon⢠Graphics (Formerly codenamed) âCezanneâ | AMD Ryzen⢠7020 Series Processors with Radeon⢠Graphics (Formerly codenamed) âMendocinoâ FT6 |
---|---|---|---|---|---|
Minimum firmware versions to mitigate all applicable CVEs | PicassoPI-FP5 1.0.1.1_(2024-03-08)_ | RenoirPI-FP6 1.0.0.D (2024-02-29) | CezannePI-FP6_1.0.1.0_(2024-01-25)_ | CezannePI-P6_1.0.1.0_(2024-01-25)_ | MendocinoPI-FT6_1.0.0.7_(2024-07-03)_ |
CVE-2023-20594 | PicassoPI-FP5 1.0.1.1_(2024-03-08)_ | RenoirPI-FP6 1.0.0.D (2024-02-29) | CezannePI-FP6_1.0.1.0_(2024-01-25)_ | CezannePI-P6_1.0.1.0_(2024-01-25)_ | MendocinoPI-FT6_1.0.0.7_(2024-07-03)_ |
CVE-2023-20597 | Not affected | RenoirPI-FP6 1.0.0.9(2022-06-22) | CezannePI-FP6 1.0.0.B(2022-06-15) | CezannePI-FP6 1.0.0.B(2022-06-15) | Not affected |
CVE|AMD Ryzen⢠6000 Series Processors with Radeon⢠Graphics (Formerly codenamed) âRembrandtâ|AMD Ryzen⢠7035 Series Processors with Radeon⢠Graphics (Formerly codenamed) âRembrandt-Râ|AMD Ryzen⢠5000 Series Processors with Radeon⢠Graphics (Formerly codenamed) âBarceloâ|AMD Ryzen⢠7030 Series Mobile Processors with Radeon⢠Graphics (Formerly codenamed)
âBarcelo-Râ|AMD Ryzen⢠7040 Series Mobile Processors with Radeon⢠Graphics (Formerly codenamed) âPhoenixâ FP7/FP7r2/FP8|AMD Ryzen⢠7045 Series Mobile Processors (Formerly codenamed) âDragon Rangeâ
â|â|â|â|â|â|â
Minimum firmware versions to mitigate all applicable CVEs| RembrandtPI-FP7 1.0.0.B
(2024-06-26)| RembrandtPI-FP7
1.0.0.B
(2024-06-26)| CezannePI-FP6
1.0.1.0
(2024-01-25)| CezannePI-FP6
1.0.1.0
(2024-01-25)| PhoenixPI-FP8-FP7 1.1.0.2a
(2024-01-23)| DragonRangeFL1PI 1.0.0.3d
(2024-01-29)
CVE-2023-20594| RembrandtPI-FP7 1.0.0.B
(2024-06-26)| RembrandtPI-FP7
1.0.0.B
(2024-06-26)| CezannePI-FP6
1.0.1.0
(2024-01-25)| CezannePI-FP6
1.0.1.0
(2024-01-25)| PhoenixPI-FP8-FP7 1.1.0.2a
(2024-01-23)| DragonRangeFL1PI 1.0.0.3d
(2024-01-29)
CVE-2023-20597| RembrandtPI-FP7 1.0.0.6
(2022-09-01)| RembrandtPI-FP7 1.0.0.6
(2022-09-01)| CezannePI-FP6 1.0.0.B
(2022-06-15)| CezannePI-FP6 1.0.0.B
(2022-06-15)| Not affected| Not affected