Cyber Resilience

CVE-2023-31320

High

Published: 14 November 2023

Published
14 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0518 90.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31320 is a high-severity Improper Input Validation (CWE-20) vulnerability in Amd Radeon Software. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an instance of improper input validation, tracked as CVE-2023-31320 and assigned CWE-20, that affects the AMD Radeon Graphics display driver. Successful exploitation can corrupt display output and produce a denial-of-service condition. The issue carries a CVSS 3.1 base score of 7.5 with a network attack vector, low attack complexity, and no required privileges or user interaction.

An unauthenticated attacker with network access can send crafted input to the driver, triggering display corruption that renders the system unusable until recovery. Because the flaw resides in a graphics driver component exposed to remote input, the attack does not require local code execution or user assistance.

AMD has published mitigation guidance in security bulletin AMD-SB-6003, which directs users to the corresponding driver updates that address the input-validation weakness. The bulletin is referenced as the authoritative source for patch availability and installation instructions.

EPSS scores for the CVE remain low, with a current value of 0.0518 and a peak of 0.0664, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

Improper input validation in the AMD RadeonTM Graphics display driver may allow an attacker to corrupt the display potentially resulting in denial of service.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

amd
radeon software
≤ 23.7.1 · ≤ 23.q3 · ≤ 23.7.1
amd
radeon rx vega 56 firmware
all versions
amd
radeon rx vega 64 firmware
all versions
amd
radeon pro vega 56 firmware
all versions
amd
radeon pro vega 64 firmware
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References