CVE-2024-36347

Description

Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment.

Category

6.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.01%
Affected: AMD AMD EPYC™ 7001 Series
Affected: AMD AMD EPYC™ 7002 Series
Affected: AMD AMD EPYC™ 7003 Series
Affected: AMD AMD EPYC™ 9004 Series
Affected: AMD AMD EPYC™ 4004 Series
Affected: AMD AMD EPYC™ 9005 Series
Affected: AMD AMD Instinct™ MI300A
Affected: AMD AMD Ryzen™ 5000 Series Desktop Processors
Affected: AMD AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 3000 Series Desktop Processors
Affected: AMD AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 7000 Series Desktop Processors
Affected: AMD AMD Ryzen™ 4000 Series Desktop Processor with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 8000 Series Processor with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 9000 Series Desktop Processors
Affected: AMD AMD Ryzen™ Threadripper™ 3000 Series Processors
Affected: AMD AMD Ryzen™ Threadripper™ PRO 7000 WX-Series Processors
Affected: AMD AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors
Affected: AMD AMD Ryzen™ Threadripper™ PRO 5000WX- Series Desktop Processors
Affected: AMD AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 3000 Series Mobile Processor with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 5000 Series Processors with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 6000 Series Processor with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 7035 Series Processor with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 7000 Series Processors with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 7040 Series Processors with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 8040 Series Mobile Processors with Radeon™ Graphics
Affected: AMD AMD Ryzen™ 7045 Series Mobile Processors
Affected: AMD AMD Ryzen™ AI 300 Series
Affected: AMD AMD Ryzen™ AI Max +
Affected: AMD AMD Ryzen™ 9000HX Series Mobile Processors
Affected: AMD AMD EPYC™ Embedded 3000
Affected: AMD AMD EPYC™ Embedded 7002
Affected: AMD AMD EPYC™ Embedded 7003
Affected: AMD AMD EPYC™ Embedded 8004
Affected: AMD AMD EPYC™ Embedded 9004
Affected: AMD AMD EPYC™ Embedded 97X4
Affected: AMD AMD Ryzen™ Embedded R1000
Affected: AMD AMD Ryzen™ Embedded R2000
Affected: AMD AMD Ryzen™ Embedded 5000
Affected: AMD AMD Ryzen™ Embedded 7000
Affected: AMD AMD Ryzen™ Embedded V1000
Affected: AMD AMD Ryzen™Embedded V2000
Affected: AMD AMD Ryzen™Embedded V3000
Published at:
Updated at:

References

Link Tags
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html

Frequently Asked Questions

What is the severity of CVE-2024-36347?
CVE-2024-36347 has been scored as a medium severity vulnerability.
How to fix CVE-2024-36347?
To fix CVE-2024-36347, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-36347 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-36347 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-36347?
CVE-2024-36347 affects AMD AMD EPYC™ 7001 Series, AMD AMD EPYC™ 7002 Series, AMD AMD EPYC™ 7003 Series, AMD AMD EPYC™ 9004 Series, AMD AMD EPYC™ 4004 Series, AMD AMD EPYC™ 9005 Series, AMD AMD Instinct™ MI300A, AMD AMD Ryzen™ 5000 Series Desktop Processors, AMD AMD Ryzen™ 5000 Series Desktop Processor with Radeon™ Graphics, AMD AMD Ryzen™ 3000 Series Desktop Processors, AMD AMD Athlon™ 3000 Series Desktop Processors with Radeon™ Graphics, AMD AMD Ryzen™ 7000 Series Desktop Processors, AMD AMD Ryzen™ 4000 Series Desktop Processor with Radeon™ Graphics, AMD AMD Ryzen™ 8000 Series Processor with Radeon™ Graphics, AMD AMD Ryzen™ 9000 Series Desktop Processors, AMD AMD Ryzen™ Threadripper™ 3000 Series Processors, AMD AMD Ryzen™ Threadripper™ PRO 7000 WX-Series Processors, AMD AMD Ryzen™ Threadripper™ PRO 3000WX Series Processors, AMD AMD Ryzen™ Threadripper™ PRO 5000WX- Series Desktop Processors, AMD AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics, AMD AMD Ryzen™ 3000 Series Mobile Processor with Radeon™ Graphics, AMD AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics, AMD AMD Ryzen™ 5000 Series Processors with Radeon™ Graphics, AMD AMD Ryzen™ 7020 Series Processors with Radeon™ Graphics, AMD AMD Ryzen™ 6000 Series Processor with Radeon™ Graphics, AMD AMD Ryzen™ 7035 Series Processor with Radeon™ Graphics, AMD AMD Ryzen™ 7000 Series Processors with Radeon™ Graphics, AMD AMD Ryzen™ 7040 Series Processors with Radeon™ Graphics, AMD AMD Ryzen™ 8040 Series Mobile Processors with Radeon™ Graphics, AMD AMD Ryzen™ 7045 Series Mobile Processors, AMD AMD Ryzen™ AI 300 Series, AMD AMD Ryzen™ AI Max +, AMD AMD Ryzen™ 9000HX Series Mobile Processors, AMD AMD EPYC™ Embedded 3000, AMD AMD EPYC™ Embedded 7002, AMD AMD EPYC™ Embedded 7003, AMD AMD EPYC™ Embedded 8004, AMD AMD EPYC™ Embedded 9004, AMD AMD EPYC™ Embedded 97X4, AMD AMD Ryzen™ Embedded R1000, AMD AMD Ryzen™ Embedded R2000, AMD AMD Ryzen™ Embedded 5000, AMD AMD Ryzen™ Embedded 7000, AMD AMD Ryzen™ Embedded V1000, AMD AMD Ryzen™Embedded V2000, AMD AMD Ryzen™Embedded V3000.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.