CVE-2021-26356 — HIGH (7.4)

Q: What is CVE-2021-26356?

CVE-2021-26356 is a vulnerability with a CVSS score of 7.4 (HIGH). A TOCTOU in ASP bootloader may allow an attacker to tamper with the SPI ROM following data read to memory potentially resulting in S3 data corruption and information disclosure.

Q: How severe is CVE-2021-26356?

CVE-2021-26356 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-26356?

Check the references section above for vendor advisories and patch information. Affected products include: Amd Epyc 7001 Firmware, Amd Epyc 7001, Amd Epyc 7251 Firmware, Amd Epyc 7251, Amd Epyc 7261 Firmware.

Vulnerability Description

A TOCTOU in ASP bootloader may allow an attacker to tamper with the SPI ROM following data read to memory potentially resulting in S3 data corruption and information disclosure.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Amd	Epyc 7001 Firmware	< naplespi_1.0.0.h
Amd	Epyc 7001	-
Amd	Epyc 7251 Firmware	< naplespi_1.0.0.h
Amd	Epyc 7251	-
Amd	Epyc 7261 Firmware	< naplespi_1.0.0.h
Amd	Epyc 7261	-
Amd	Epyc 7281 Firmware	< naplespi_1.0.0.h
Amd	Epyc 7281	-
Amd	Epyc 7301 Firmware	< naplespi_1.0.0.h
Amd	Epyc 7301	-
Amd	Epyc 7351 Firmware	< naplespi_1.0.0.h
Amd	Epyc 7351	-
Amd	Epyc 7351P Firmware	< naplespi_1.0.0.h
Amd	Epyc 7351P	-
Amd	Epyc 7371 Firmware	< naplespi_1.0.0.h
Amd	Epyc 7371	-
Amd	Epyc 7401 Firmware	< naplespi_1.0.0.h
Amd	Epyc 7401	-
Amd	Epyc 7401P Firmware	< naplespi_1.0.0.h
Amd	Epyc 7401P	-

Related Weaknesses (CWE)

CWE-367

References

https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-3001Vendor Advisory
https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-4001Vendor Advisory
https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-3001Vendor Advisory
https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-4001Vendor Advisory

FAQ

What is CVE-2021-26356?

CVE-2021-26356 is a vulnerability with a CVSS score of 7.4 (HIGH). A TOCTOU in ASP bootloader may allow an attacker to tamper with the SPI ROM following data read to memory potentially resulting in S3 data corruption and information disclosure.

How severe is CVE-2021-26356?

CVE-2021-26356 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-26356?

Check the references section above for vendor advisories and patch information. Affected products include: Amd Epyc 7001 Firmware, Amd Epyc 7001, Amd Epyc 7251 Firmware, Amd Epyc 7251, Amd Epyc 7261 Firmware.