CVE-2023-31313
Published: 12 February 2026
Summary
CVE-2023-31313 is a high-severity Confused Deputy (CWE-441) vulnerability in Amd (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Component Firmware (T1542.002); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2023-31313 is a vulnerability in the AMD power management firmware (PMFW) involving an unintended proxy or intermediary that could allow a privileged attacker to send malformed messages to the system management unit (SMU), potentially resulting in arbitrary code execution. Published on 2026-02-12, it carries a CVSS v3.1 base score of 7.2 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-441 (Unintended Proxy or Intermediary ('Confused Deputy')).
The attack requires local access with high privileges (PR:H) and high attack complexity (AC:H), but no user interaction. A successful exploit enables the attacker to achieve arbitrary code execution with high impacts on confidentiality and integrity, no impact on availability, and a changed scope due to the firmware context.
AMD's security bulletin provides details on mitigation; practitioners should refer to https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6024.html for patch information and remediation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-35624
Vulnerability details
An unintended proxy or intermediary in the AMD power management firmware (PMFW) could allow a privileged attacker to send malformed messages to the system management unit (SMU) potentially resulting in arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in component firmware (PMFW) directly enables arbitrary code execution via malformed messages to SMU.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces information flow policies between PMFW and SMU to block unintended proxying of malformed messages.
Requires validation of all inputs to the SMU so malformed messages originating from the PMFW proxy are rejected before code execution.
Isolates security-relevant firmware functions (PMFW/SMU) to limit the confused-deputy attack surface that enables arbitrary code execution.