CVE-2023-20548
Published: 11 February 2026
Summary
CVE-2023-20548 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Amd Radeon Software. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-20548 is a Time-of-check time-of-use (TOCTOU) race condition vulnerability in the AMD Secure Processor (ASP). This flaw affects the ASP component within AMD systems, potentially allowing memory corruption that leads to loss of integrity, confidentiality, or availability. The vulnerability is classified under CWE-367 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high impact with local access required.
Exploitation requires a local attacker with low privileges to perform a high-complexity attack without user interaction. Successful exploitation could enable memory corruption, granting the attacker high-impact capabilities across confidentiality, integrity, and availability in a changed scope, potentially compromising the security processor's functions.
AMD has issued security bulletin AMD-SB-6024, available at https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6024.html, which provides details on the vulnerability and recommended mitigations or patches. Security practitioners should consult this advisory for system-specific remediation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-24727
Vulnerability details
A Time-of-check time-of-use (TOCTOU) race condition in the AMD Secure Processor (ASP) could allow an attacker to corrupt memory resulting in loss of integrity, confidentiality, or availability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local TOCTOU race condition in AMD Secure Processor enables memory corruption exploitable by low-privileged attackers for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of the TOCTOU race condition flaw in AMD ASP to prevent memory corruption exploitation.
Implements memory protection mechanisms to prevent unauthorized modification or corruption of ASP memory targeted by the race condition.
Performs runtime monitoring and integrity checks on ASP firmware to detect or prevent unauthorized changes from race condition exploitation.