Use-after-free in AMD products - CVE-2023-20593

Vulnerability identifier: #VU78572

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-20593

CWE-ID: CWE-416

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: AMD

Affected software:
AMD Ryzen 3000 Series Desktop processor
3rd Gen AMD Ryzen Threadripper processors
AMD Ryzen 4000 Series Desktop processors with Radeon graphics
AMD Ryzen 5000 Series Mobile processor with Radeon graphics
AMD Ryzen 4000 Series Mobile processors with Radeon graphics
AMD Ryzen 7020 Series Processor
AMD Generic Encapsulated Software Architecture

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in AMD Zen2 processors. A local user can trigger a use-after-free error and execute arbitrary code on the system.

Note, the vulnerability was dubbed Zenbleed.

Install updates from vendor's website.

• https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=b250b32ab1d044953af2dc5e790819a7703b7ee6
• https://lock.cmpxchg8b.com/zenbleed.html
• https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html