AMD and Intel plug numerous security holes

Various security vulnerabilities affect hardware and software from AMD and Intel. In August, both manufacturers will provide updates and, in some cases, only information about them. Some can and should be installed by users, while the hardware manufacturers are responsible for others.

AMD hardware and software vulnerabilities

Several security vulnerabilities in AMD GPUs and their processor-integrated counterparts have reached high-risk status in some cases. AMD lists the individual vulnerabilities in the security report table –, some of which date back to 2021. For Data Center Graphics products, AMD has been distributing updated drivers that solve the problems since September 2024 in some cases. For the end-user GPUs, driver updates have been available for parts of the gaps since 2023, but the more recent gaps only seem to be closed by the drivers that have been available since the end of May this year.

The AMD client processors also have various vulnerabilities that affect the System Management Mode (SMM), AMD Security Processor (ASP) and other components. Some of the security reports from August 2025 also date back to 2021. They affect processors from the Ryzen 2000 series, among others, and more recently also the newer processors up to the Ryzen AI 300 series. Various firmware microcode versions are available for this, which motherboard manufacturers, for example, have to transplant into a BIOS update.

AMD's server processors get off more lightly, with the company reporting significantly fewer security vulnerabilities, only two of which pose a high risk. A more recent vulnerability from this year allows local admins to load malicious CPU microcode (CVE-2025-0032, CVSS 7.2, risk "high"). In addition, attackers with physical access and Ring0 privileges can abuse insufficient validation of data from the memory latch DIMM SPD to inject code into the system management mode (CVE-2024-36354, CVSS 7.5, risk "high") – which does not necessarily sound trivial to execute. Firmware updates for various Epyc processors from 4004 to 9005 solve the problem.

AMD also reports on a research paper in which the analysts can inject their own code into the Zen 4 PSP (Platform Security Processor) by exposing voltage faults (Voltage Fault Injection, VFI). This requires local, physical access. "Physical attacks such as VFI are outside the threat model of affected AMD products", the manufacturer notes, which is why there is no solution in the form of updates. Affected are Epyc Zen 4 and its embedded siblings as well as previous, the AMD Instinct MI-200, MI-300 and MI-350 series, Ryzen Zen 4 and previous, the Ryzen 9000HX and 9000 series and the embedded variants with Zen 4 and older versions. In addition, Radeon RX 7000/6000/5000/VII/Vega, Radeon Pro W7000/6000/5000/VII/Vega and Radeon Pro V series.

Numerous security problems with Intel products

On Wednesday night, Intel also published numerous security notifications, more than 30 in total. Of these, only a few stand out with their "high risk" severity level. Some Intel Ethernet drivers for Linux allow the extension of rights to the system, information leakage or a denial of service. In particular in the kernel-mode driver for Ethernet cards of the Intel 700 series, registered attackers can escalate their rights in versions prior to the current 2.28.5 (CVE-2025-24486, CVE-2025-25273, CVSS 7.8, risk "high"; CVE-2025-21086, CVSS 7.5, risk "high"). These are components of the Xeon D-2100 processors and C620 chipsets. One of the vulnerabilities with a lower risk rating also affects the versions of the Ethernet driver for the I350 series and will be closed with version 5.19.2 or newer.

The company is also providing the updated version 23.110.0.5 for the Intel WLAN drivers for Wi-Fi 6E AX211, Wi-Fi 7 BE200, BE201 and BE202. Attackers can provoke a denial of service in the previous versions due to insufficient status checks (CVE-2025-20625, CVSS 7.4, risk "high"). In some IPUs and chipsets, attackers can extend their rights as there is a race condition between a check and the use of unspecified information in the Converged Security and Management Engine (CSME). This allows logged-in users to extend their rights (CVE-2025-20037, CVSS 7.2, risk "high"). Two slightly less serious vulnerabilities also affect the Server Platform Services (SPS) and Active Management Technology (AMT) as well as Intel Standard Manageability. The high-risk vulnerability affects the Intel Core Ultra processors of series 1 and 2. The firmware updates to version 18.1.18, 19.0.5 and 20.0.5 correct the errors.

For the problems that can be solved with driver updates, those affected should download and install the updated drivers. Where firmware updates are necessary, however, they should consult the manufacturer websites of their systems to see whether BIOS updates are available for their systems.

(dmk)