A serious security vulnerability in AMD processors has been disclosed, allowing attackers with administrative privileges to potentially load malicious microcode patches into CPUs.
Identified as CVE-2024-36347 with a medium-severity CVSS score of 6.4, this flaw affects numerous AMD processor families across desktop, mobile, server, and embedded segments.
According to the security bulletin AMD-SB-7033 published on April 7, 2025, researchers from Google discovered and reported a weakness in AMD’s signature verification algorithm that could allow the loading of unsigned or fraudulently signed microcode.
While AMD has confirmed no instances of this vulnerability being exploited in the wild, the potential impact includes compromised system integrity and confidentiality.
Technical Details and Impact Assessment
The vulnerability stems from improper signature verification in the CPU ROM microcode patch loader, which could allow an attacker with local administrator privileges to bypass security measures and load arbitrary microcode.
The researchers demonstrated their ability to load patches not signed by AMD and even falsify signatures for custom microcode modifications.
If successfully exploited, this vulnerability could lead to:
- Loss of integrity in x86 instruction execution
- Compromise of data confidentiality and integrity within privileged CPU contexts
- Potential compromise of the System Management Mode (SMM) execution environment
The attack requires local access, high privileges, and involves complex exploitation techniques, as reflected in the CVSS vector string: AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H.
Risk Factor Analysis and Mitigation Timeline
CVE ID | CVSS Score | Attack Vector | Attack Complexity | Privileges Required | User Interaction | Scope | Confidentiality Impact | Integrity Impact | Availability Impact |
---|---|---|---|---|---|---|---|---|---|
CVE-2024-36347 | 6.4 | Local (AV:L) | High (AC:H) | High (PR:H) | None (UI:N) | Unchanged (S:U) | High (C:H) | High (I:H) | High (A:H) |
AMD has developed mitigations for this vulnerability and is releasing updated Platform Initialization (PI) firmware to Original Equipment Manufacturers (OEMs).
The updates provide enhanced signature verification and prevent unauthorized microcode loading.
Notable release dates for firmware updates include:
- Data Center: Most EPYC server processors received updates in December 2024, with Turin updates released on March 4, 2025
- Desktop: Ryzen 5000 and 3000 series updates were released on January 14-22, 2025, while Ryzen 9000 series updates came on March 27, 2025
- Mobile: Updates for various Ryzen mobile processors were released between December 2024 and March 2025
- Embedded: Updates for EPYC Embedded processors were released in December 2024, with Ryzen Embedded updates following in January and February 2025
The security bulletin notes that after updating to these firmware versions, “Microcode cannot be hot-loaded” on certain platforms, and attempts to load microcode on older BIOS versions will trigger a #GP (General Protection) fault.
Users must contact their system or motherboard manufacturers to obtain the appropriate BIOS updates.
AMD acknowledged Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo Rizzo from Google for discovering and responsibly disclosing this vulnerability.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates