Exposed IOCTL with Insufficient Access Control in AMD products - CVE-2023-20598
Published: October 26, 2023 / Updated: July 26, 2024
Vulnerability identifier: #VU82434
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2023-20598
CWE-ID: CWE-782
Exploitation vector: Local access
Exploit availability:
Public exploit is available
Vendor: AMD
Affected software:
Radeon RX 5000 Series
Radeon RX 6000 Series
Radeon RX 7000 Series
Ryzen 7045 Series Processors with Radeon Graphics
Ryzen 7020 Series Processors with Radeon Graphics
Ryzen 7040 Series Processors with Radeon Graphics
Ryzen 7000 Series Processors with Radeon Graphics
Ryzen 6000 Series Processors with Radeon Graphics
Ryzen 7035 Series Processors with Radeon Graphics
Radeon PRO W5000 Series
Radeon PRO W6000 Series
Radeon PRO W7000 Series
AMD Software Adrenalin Edition
AMD Software PRO Edition
Radeon RX 5000 Series
Radeon RX 6000 Series
Radeon RX 7000 Series
Ryzen 7045 Series Processors with Radeon Graphics
Ryzen 7020 Series Processors with Radeon Graphics
Ryzen 7040 Series Processors with Radeon Graphics
Ryzen 7000 Series Processors with Radeon Graphics
Ryzen 6000 Series Processors with Radeon Graphics
Ryzen 7035 Series Processors with Radeon Graphics
Radeon PRO W5000 Series
Radeon PRO W6000 Series
Radeon PRO W7000 Series
AMD Software Adrenalin Edition
AMD Software PRO Edition
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to insufficient access control in the IOCTL within the pdfwkrnl.sys driver. A local user can send a specially crafted IOCTL request and execute abitrary code on the system.
How to mitigate CVE-2023-20598
Install updates from vendor's website.