Cyber Posture

CVE-2023-20548

High

Published: 11 February 2026

Published
11 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0001 0.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20548 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Amd Radeon Software. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and patching of the TOCTOU race condition flaw in AMD ASP to prevent memory corruption exploitation.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms to prevent unauthorized modification or corruption of ASP memory targeted by the race condition.

SI-7 Software, Firmware, and Information Integrity partial match
preventdetect

Performs runtime monitoring and integrity checks on ASP firmware to detect or prevent unauthorized changes from race condition exploitation.

NVD Description

A Time-of-check time-of-use (TOCTOU) race condition in the AMD Secure Processor (ASP) could allow an attacker to corrupt memory resulting in loss of integrity, confidentiality, or availability.

Deeper analysisAI

CVE-2023-20548 is a Time-of-check time-of-use (TOCTOU) race condition vulnerability in the AMD Secure Processor (ASP). This flaw affects the ASP component within AMD systems, potentially allowing memory corruption that leads to loss of integrity, confidentiality, or availability. The vulnerability is classified under CWE-367 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high impact with local access required.

Exploitation requires a local attacker with low privileges to perform a high-complexity attack without user interaction. Successful exploitation could enable memory corruption, granting the attacker high-impact capabilities across confidentiality, integrity, and availability in a changed scope, potentially compromising the security processor's functions.

AMD has issued security bulletin AMD-SB-6024, available at https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6024.html, which provides details on the vulnerability and recommended mitigations or patches. Security practitioners should consult this advisory for system-specific remediation steps.

Details

CWE(s)
CWE-367

Affected Products

amd
rocm
≤ 6.2.0
amd
radeon software
≤ 25.q2 · ≤ 24.6.1
amd
radeon vii firmware
all versions
amd
radeon pro vii firmware
all versions

CVEs Like This One

CVE-2023-31324Same product: Amd Instinct Mi210
CVE-2024-42444Shared CWE-367
CVE-2026-30332Shared CWE-367
CVE-2026-21240Shared CWE-367
CVE-2024-53028Shared CWE-367
CVE-2025-22224Shared CWE-367
CVE-2026-27750Shared CWE-367
CVE-2026-20816Shared CWE-367
CVE-2026-25052Shared CWE-367
CVE-2025-38352Shared CWE-367

References