Cyber Resilience

CVE-2023-31313

High

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0001 3.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31313 is a high-severity Confused Deputy (CWE-441) vulnerability in Amd (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Component Firmware (T1542.002); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2023-31313 is a vulnerability in the AMD power management firmware (PMFW) involving an unintended proxy or intermediary that could allow a privileged attacker to send malformed messages to the system management unit (SMU), potentially resulting in arbitrary code execution. Published on 2026-02-12, it carries a CVSS v3.1 base score of 7.2 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-441 (Unintended Proxy or Intermediary ('Confused Deputy')).

The attack requires local access with high privileges (PR:H) and high attack complexity (AC:H), but no user interaction. A successful exploit enables the attacker to achieve arbitrary code execution with high impacts on confidentiality and integrity, no impact on availability, and a changed scope due to the firmware context.

AMD's security bulletin provides details on mitigation; practitioners should refer to https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6024.html for patch information and remediation guidance.

EU & UK References

Vulnerability details

An unintended proxy or intermediary in the AMD power management firmware (PMFW) could allow a privileged attacker to send malformed messages to the system management unit (SMU) potentially resulting in arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1542.002 Component Firmware Stealth
Adversaries may modify component firmware to persist on systems.
Why these techniques?

Vulnerability in component firmware (PMFW) directly enables arbitrary code execution via malformed messages to SMU.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0107Shared CWE-441
CVE-2026-0098Shared CWE-441
CVE-2025-48646Shared CWE-441
CVE-2026-0008Shared CWE-441
CVE-2025-48570Shared CWE-441
CVE-2026-0013Shared CWE-441
CVE-2025-48579Shared CWE-441
CVE-2026-39906Shared CWE-441
CVE-2026-0021Shared CWE-441
CVE-2025-64123Shared CWE-441

Affected Assets

Amd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces information flow policies between PMFW and SMU to block unintended proxying of malformed messages.

prevent

Requires validation of all inputs to the SMU so malformed messages originating from the PMFW proxy are rejected before code execution.

prevent

Isolates security-relevant firmware functions (PMFW/SMU) to limit the confused-deputy attack surface that enables arbitrary code execution.

References