Cyber Resilience

CVE-2023-20591

Medium

Published: 13 August 2024

Published
13 August 2024
Modified
13 March 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.0034 56.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20591 is a medium-severity Improper Initialization (CWE-665) vulnerability in Amd Epyc 8024Pn Firmware. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 43.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Improper re-initialization of IOMMU during the DRTM event may permit an untrusted platform configuration to persist, allowing an attacker to read or modify hypervisor memory, potentially resulting in loss of confidentiality, integrity, and availability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

amd
epyc 8024pn firmware
≤ genoapi_1.0.0.8
amd
epyc 8024p firmware
≤ genoapi_1.0.0.8
amd
epyc 8124pn firmware
≤ genoapi_1.0.0.8
amd
epyc 8124p firmware
≤ genoapi_1.0.0.8
amd
epyc 8224pn firmware
≤ genoapi_1.0.0.8
amd
epyc 8224p firmware
≤ genoapi_1.0.0.8
amd
epyc 8324pn firmware
≤ genoapi_1.0.0.8
amd
epyc 8324p firmware
≤ genoapi_1.0.0.8
amd
epyc 8434pn firmware
≤ genoapi_1.0.0.8
amd
epyc 8434p firmware
≤ genoapi_1.0.0.8
+55 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-665

Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.

addresses: CWE-665

Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.

References