Cyber Resilience

CVE-2023-20548

High

Published: 11 February 2026

Published
11 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 0.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20548 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Amd Radeon Software. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-20548 is a Time-of-check time-of-use (TOCTOU) race condition vulnerability in the AMD Secure Processor (ASP). This flaw affects the ASP component within AMD systems, potentially allowing memory corruption that leads to loss of integrity, confidentiality, or availability. The vulnerability is classified under CWE-367 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high impact with local access required.

Exploitation requires a local attacker with low privileges to perform a high-complexity attack without user interaction. Successful exploitation could enable memory corruption, granting the attacker high-impact capabilities across confidentiality, integrity, and availability in a changed scope, potentially compromising the security processor's functions.

AMD has issued security bulletin AMD-SB-6024, available at https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6024.html, which provides details on the vulnerability and recommended mitigations or patches. Security practitioners should consult this advisory for system-specific remediation steps.

EU & UK References

Vulnerability details

A Time-of-check time-of-use (TOCTOU) race condition in the AMD Secure Processor (ASP) could allow an attacker to corrupt memory resulting in loss of integrity, confidentiality, or availability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local TOCTOU race condition in AMD Secure Processor enables memory corruption exploitable by low-privileged attackers for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-31324Same product: Amd Instinct Mi210
CVE-2024-53028Shared CWE-367
CVE-2026-41651Shared CWE-367
CVE-2026-41702Shared CWE-367
CVE-2026-27750Shared CWE-367
CVE-2026-21240Shared CWE-367
CVE-2026-45208Shared CWE-367
CVE-2024-45560Shared CWE-367
CVE-2024-53032Shared CWE-367
CVE-2026-20831Shared CWE-367

Affected Assets

amd
rocm
≤ 6.2.0
amd
radeon software
≤ 25.q2 · ≤ 24.6.1
amd
radeon vii firmware
all versions
amd
radeon pro vii firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the TOCTOU race condition flaw in AMD ASP to prevent memory corruption exploitation.

prevent

Implements memory protection mechanisms to prevent unauthorized modification or corruption of ASP memory targeted by the race condition.

preventdetect

Performs runtime monitoring and integrity checks on ASP firmware to detect or prevent unauthorized changes from race condition exploitation.

References