CVE-2023-20578

Name: CVE-2023-20578
Creator: NVD / NIST
Published: 2024-08-13T17:15:19.51+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.4/10EPSS 0.12%

Last modified Jun 17, 2026

CVE-2023-20578 is a medium-severity vulnerability rated 6.4/10 on the CVSS scale. A TOCTOU (Time-Of-Check-Time-Of-Use) in SMM may allow an attacker with ring0 privileges and access to the BIOS menu or UEFI shell to modify the communications buffer potentially resulting in arbitrary code execution.. EPSS estimates a 0.12% chance of exploitation in the next 30 days.

Description

A TOCTOU (Time-Of-Check-Time-Of-Use) in SMM may allow an attacker with ring0 privileges and access to the BIOS menu or UEFI shell to modify the communications buffer potentially resulting in arbitrary code execution.

Metrics

CVSS 3.1

6.4/10

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.12%

1.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Amd	Epyc 8024pn Firmware	< genoapi_1.0.0.2
Amd	Epyc 8024p Firmware	< genoapi_1.0.0.2
Amd	Epyc 8124pn Firmware	< genoapi_1.0.0.2
Amd	Epyc 8124p Firmware	< genoapi_1.0.0.2
Amd	Epyc 8224pn Firmware	< genoapi_1.0.0.2
Amd	Epyc 8224p Firmware	< genoapi_1.0.0.2
Amd	Epyc 8324pn Firmware	< genoapi_1.0.0.2
Amd	Epyc 8324p Firmware	< genoapi_1.0.0.2
Amd	Epyc 8434pn Firmware	< genoapi_1.0.0.2
Amd	Epyc 8434p Firmware	< genoapi_1.0.0.2
Amd	Epyc 8534pn Firmware	< genoapi_1.0.0.2
Amd	Epyc 8534p Firmware	< genoapi_1.0.0.2
Amd	Epyc 9734 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9754s Firmware	< genoapi_1.0.0.2
Amd	Epyc 9754 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9184x Firmware	< genoapi_1.0.0.2
Amd	Epyc 9384x Firmware	< genoapi_1.0.0.2
Amd	Epyc 9684x Firmware	< genoapi_1.0.0.2
Amd	Epyc 9124 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9174f Firmware	< genoapi_1.0.0.2
Amd	Epyc 9224 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9254 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9274f Firmware	< genoapi_1.0.0.2
Amd	Epyc 9334 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9354 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9354p Firmware	< genoapi_1.0.0.2
Amd	Epyc 9374f Firmware	< genoapi_1.0.0.2
Amd	Epyc 9454 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9454p Firmware	< genoapi_1.0.0.2
Amd	Epyc 9474f Firmware	< genoapi_1.0.0.2
Amd	Epyc 9534 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9554 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9554p Firmware	< genoapi_1.0.0.2
Amd	Epyc 9634 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9654 Firmware	< genoapi_1.0.0.2
Amd	Epyc 9654p Firmware	< genoapi_1.0.0.2
Amd	Epyc 7203 Firmware	< milanpi_1.0.0.5
Amd	Epyc 7203p Firmware	< milanpi_1.0.0.5
Amd	Epyc 72f3 Firmware	< milanpi_1.0.0.5
Amd	Epyc 7303 Firmware	< milanpi_1.0.0.5
Amd	Epyc 7303p Firmware	< milanpi_1.0.0.5
Amd	Epyc 7313 Firmware	< milanpi_1.0.0.5
Amd	Epyc 7313p Firmware	< milanpi_1.0.0.5
Amd	Epyc 7343 Firmware	< milanpi_1.0.0.5
Amd	Epyc 73f3 Firmware	< milanpi_1.0.0.5
Amd	Epyc 7373x Firmware	< milanpi_1.0.0.5
Amd	Epyc 7413 Firmware	< milanpi_1.0.0.5
Amd	Epyc 7443 Firmware	< milanpi_1.0.0.5
Amd	Epyc 7443p Firmware	< milanpi_1.0.0.5
Amd	Epyc 74f3 Firmware	< milanpi_1.0.0.5

Showing 50 of 105 affected configurations. See NVD for the full list.

References

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.htmlVendor Advisory

Timeline

Published: Aug 13, 2024
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-20578?

How severe is CVE-2023-20578?

CVE-2023-20578 has a CVSS score of 6.4/10 (MEDIUM severity). The EPSS model estimates a 0.12% probability of exploitation in the next 30 days.

How do I fix CVE-2023-20578?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-20578?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST