Cyber Posture

CVE-2024-21925

High

Published: 11 February 2025

Published
11 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0007 21.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21925 is a high-severity Improper Input Validation (CWE-20) vulnerability in Amd (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of inputs to the AmdPspP2CmboxV2 driver, preventing malformed inputs that enable SMRAM overwrite.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of flaws like improper input validation in the driver via patching as per AMD-SB-7027.

SI-16 Memory Protection partial match
prevent

Implements safeguards to protect SMRAM and other memory from unauthorized access or overwrite by privileged attackers.

NVD Description

Improper input validation within the AmdPspP2CmboxV2 driver may allow a privileged attacker to overwrite SMRAM, leading to arbitrary code execution.

Deeper analysisAI

CVE-2024-21925 is an improper input validation vulnerability (CWE-20) in the AmdPspP2CmboxV2 driver on AMD platforms. Published on 2025-02-11, it enables a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution. The issue carries a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to local attack vector, low attack complexity, high privileges required, no user interaction, changed scope, and high impacts across confidentiality, integrity, and availability.

A local attacker possessing high-level privileges can exploit this vulnerability by sending malformed input to the AmdPspP2CmboxV2 driver. This allows overwriting of SMRAM contents, granting the ability to execute arbitrary code at the highest privilege levels, potentially compromising the entire system.

AMD has addressed this issue in Security Bulletin AMD-SB-7027, available at https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7027.html, which provides details on affected products and recommended mitigations or patches.

Details

CWE(s)
CWE-20

Affected Products

Amd
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-27623Shared CWE-20
CVE-2025-61614Shared CWE-20
CVE-2026-20856Shared CWE-20
CVE-2025-69278Shared CWE-20
CVE-2025-30452Shared CWE-20
CVE-2025-20146Shared CWE-20
CVE-2026-28894Shared CWE-20
CVE-2025-54785Shared CWE-20
CVE-2025-1736Shared CWE-20
CVE-2026-5329Shared CWE-20

References