AMD Graphics Driver Vulnerabilities – November 2022

Bulletin ID: AMD-SB-1029 **Potential Impact:**Varies by CVE, see descriptions below **Severity:**Varies by CVE, see descriptions below

Summary

AMD received reports of vulnerabilities potentially affecting some AMD Graphics products. Refer to the CVE Details section for information about each CVE.

CVE Details

Refer to Glossary for explanation of terms

CVE	Severity	CVE Description

CVE-2020-12930| High| Improper parameters handling in AMD Secure Processor (ASP) drivers may allow a privileged attacker to elevate their privileges potentially leading to loss of integrity.
CVE-2020-12931| High| Improper parameters handling in the AMD Secure Processor (ASP) kernel may allow a privileged attacker to elevate their privileges potentially leading to loss of integrity.
CVE-2021-26360| Medium| An attacker with local access to the system can make unauthorized modifications of the security configuration of the SOC registers. This could allow potential corruption of AMD secure processor’s encrypted memory contents which may lead to arbitrary code execution in ASP.
CVE-2021-26391| Medium| Insufficient verification of multiple header signatures while loading a Trusted Application (TA) may allow an attacker with privileges to gain code execution in that TA or the OS/kernel.
CVE-2021-26392| Medium| Insufficient verification of missing size check in ‘LoadModule’ may lead to an out-of-bounds write potentially allowing an attacker with
privileges to gain code execution of the OS/kernel by loading a malicious TA.
CVE-2021-26393| Medium| Insufficient memory cleanup in the AMD Secure Processor (ASP) Trusted Execution Environment (TEE) may allow an authenticated attacker with privileges to generate a valid signed TA and potentially poison the contents of the process memory with attacker controlled data resulting in a loss of confidentiality.

Affected Products

Graphics Cards

Platform	Release Version	Applicable CVE(s)
AMD Radeon™ RX 5000 Series andAMD Radeon™ PRO W5000 Series Graphics Cards	AMD Radeon Softwarev. 22.5.2AMD Radeon Pro Software for Enterprise v. 22.Q2Enterprise Driver v. 22.10.20	CVE-2020-12930CVE-2020-12931CVE-2021-26391CVE-2021-26392CVE-2021-26393
AMD Radeon™ RX 6000 Series and
AMD Radeon™ PRO W6000 Series Graphics Cards	AMD Radeon Softwarev. 22.5.2AMD Radeon Pro Software for Enterprise v. 22.Q2Enterprise Driver v. 22.10.20	CVE-2021-26360CVE-2021-26391CVE-2021-26392CVE-2021-26393
AMD Radeon™ RX Vega Series Graphics Cards	No fix planned	CVE-2020-12930CVE-2021-26391CVE-2021-26392CVE-2021-26393

Client APUs and CPUs

The AGESA™ versions listed below have been released to the Original Equipment Manufacturers (OEM) to mitigate these issues. Please refer to your OEM for the BIOS update specific to your product.

Desktop

CVE|AMD Ryzen™ 2000 Series Desktop Processors
“Raven Ridge” AM4|AMD Ryzen™ 2000 Series Desktop Processors
“Pinnacle Ridge”|AMD Ryzen™ 3000 Series Desktop Processors
“Matisse” AM4|AMD Ryzen™ 5000 Series Desktop Processors
“Vermeer” AM4|AMD Ryzen™ 5000 Series Desktop Processors with Radeon™ Graphics
“Cezanne” AM4
—|—|—|—|—|—
Minimum version to mitigate all listed CVEs| Raven-FP5-AM4 1.1.0.F PinnaclePI-AM4 1.0.0.DComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)| N/A| ComboAM4PI 1.0.0.9ComboAM4 V2 PI 1.2.0.8(2022-07-27)| ComboAM4 V2 PI 1.2.0.8(2022-07-27)| ComboAM4v2 PI 1.2.0.6(2022-02-18)
CVE-2020-12930| Raven-FP5-AM4 1.1.0.F PinnaclePI-AM4 1.0.0.DComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)| N/A| ComboAM4PI 1.0.0.9ComboAM4 V2 PI 1.2.0.8(2022-07-27)| ComboAM4 V2 PI 1.2.0.8(2022-07-27)| ComboAM4v2 PI 1.2.0.4
(2021-08-25)
CVE-2020-12931| Raven-FP5-AM4 1.1.0.F PinnaclePI-AM4 1.0.0.D ComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)| N/A| ComboAM4PI 1.0.0.8 ComboAM4 V2 PI 1.2.0.6(2022-02-28)| ComboAM4 V2 PI 1.2.0.6(2022-01-07)| ComboAM4v2 PI 1.2.0.4
(2021-08-25)
CVE-2021-26391| N/A| N/A| N/A| N/A| ComboAM4v2 PI 1.2.0.5(2021-11-20)
CVE-2021-26392| Raven-FP5-AM4 1.1.0.F PinnaclePI-AM4 1.0.0.DComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)| N/A| ComboAM4PI 1.0.0.9ComboAM4 V2 PI 1.2.0.8(2022-07-27)| ComboAM4 V2 PI 1.2.0.8(2022-07-27)| ComboAM4v2 PI 1.2.0.6(2022-02-18)
CVE-2021-26393| Raven-FP5-AM4 1.1.0.E PinnaclePI-AM4 1.0.0.C (RV1) ComboAM4PI 1.0.0.8ComboAM4v2 PI 1.2.0.6c(2022-02-28)| N/A| N/A| N/A| ComboAM4v2 PI 1.2.0.6(2022-02-18)
CVE-2021-26360| N/A| N/A| N/A| N/A| N/A

High End Desktop

CVE	2nd Gen AMD Ryzen™ Threadripper™ Processors “Colfax”	3rd Gen AMD Ryzen™ Threadripper™ Processors “Castle Peak” HEDT
Minimum version to mitigate all listed CVEs	N/A	CastlePeakPI-SP3r3 1.0.0.7(2022-01-28)
CVE-2020-12930	N/A	CastlePeakPI-SP3r3 1.0.0.7(2022-01-28)
CVE-2020-12931	N/A	CastlePeakPI-SP3r3 1.0.0.7(2022-01-28)
CVE-2021-26391	N/A	N/A
CVE-2021-26392	N/A	CastlePeakPI-SP3r3 1.0.0.7(2022-01-28)
CVE-2021-26393	N/A	N/A
CVE-2021-26360	N/A	N/A

Workstation

CVE	AMD Ryzen™ Threadripper™ PRO Processors “Castle Peak” WS	AMD Ryzen™ Threadripper™ PRO Processors “Chagall” WS
Minimum version to mitigate all listed CVEs	CastlePeakWSPI-sWRX8 1.0.0.9ChagallWSPI-sWRX8 1.0.0.2(2022-01-20)	ChagallWSPI-sWRX8 1.0.0.2(2022-01-07)
CVE-2020-12930	CastlePeakWSPI-sWRX8 1.0.0.9ChagallWSPI-sWRX8 1.0.0.2(2022-01-20)	ChagallWSPI-sWRX8 1.0.0.2(2022-01-07)
CVE-2020-12931	CastlePeakWSPI-sWRX8 1.0.0.9ChagallWSPI-sWRX8 1.0.0.2(2022-01-20)	ChagallWSPI-sWRX8 1.0.0.2(2022-01-07)
CVE-2021-26391	N/A	N/A
CVE-2021-26392	CastlePeakWSPI-sWRX8 1.0.0.9ChagallWSPI-sWRX8 1.0.0.2(2022-01-20)	ChagallWSPI-sWRX8 1.0.0.2(2022-01-07)
CVE-2021-26393	N/A	N/A
CVE-2021-26360	N/A	N/A

Mobile- AMD Athlon™ Series

CVE	AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics “Dali”/”Dali” ULP	AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics “Pollock”
Minimum version to mitigate all listed CVEs	PicassoPI-FP5 1.0.0.E(2022-07-06)	PollockPI-FT5 1.0.0.4(2022-06-29)
CVE-2020-12930	PicassoPI-FP5 1.0.0.E(2022-07-06)	PollockPI-FT5 1.0.0.4(2022-06-29)
CVE-2020-12931	PicassoPI-FP5 1.0.0.E(2022-07-06)	PollockPI-FT5 1.0.0.4(2022-06-29)
CVE-2021-26391	N/A	N/A
CVE-2021-26392	PicassoPI-FP5 1.0.0.E(2022-07-06)	PollockPI-FT5 1.0.0.4(2022-06-29)
CVE-2021-26393	PicassoPI-FP5 1.0.0.D
(2022-02-28)	PollockPI-FT5 1.0.0.4(2022-06-29)
CVE-2021-26360	N/A	N/A

Mobile - AMD Ryzen™ Series

CVE	AMD Ryzen™ 2000 Series Mobile Processors “Raven Ridge” FP5	AMD Ryzen™ 3000 Series Mobile Processors, 2nd Gen AMD Ryzen™ Mobile Processors with Radeon™ Graphics “Picasso”	AMD Ryzen™ 4000 Series Mobile Processors with Radeon™ Graphics “Renoir” FP6	AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics “Lucienne”	AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics “Cezanne”	AMD Ryzen™ 6000 Series Mobile Processors “Rembrandt”
Minimum version to mitigate all listed CVEs	Raven-FP5-AM4 1.1.0.FPinnaclePI-AM4 1.0.0.D ComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)	PicassoPI-FP5 1.0.0.E ComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)	RenoirPI-FP6 1.0.0.8 ComboAM4v2 PI 1.2.0.6(2022-01-19)	CezannePI-FP6 1.0.0.9(2022-02-18)	CezannePI-FP6 1.0.0.9(2022-02-18)	N/A
CVE-2020-12930	Raven-FP5-AM4 1.1.0.FPinnaclePI-AM4 1.0.0.D ComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)	PicassoPI-FP5 1.0.0.E ComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)	RenoirPI-FP6 1.0.0.7ComboAM4v2 PI 1.2.0.4(2021-08-25)	CezannePI-FP6 1.0.0.4 (6E)(2021-06-23)	CezannePI-FP6 1.0.0.4 (6E)(2021-08-25)	N/A

CVE-2020-12931| Raven-FP5-AM4 1.1.0.FPinnaclePI-AM4 1.0.0.DComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)| PicassoPI-FP5 1.0.0.E ComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)| RenoirPI-FP6 1.0.0.7 ComboAM4v2 PI 1.2.0.4(2021-11-02)| CezannePI-FP6 1.0.0.4(2021-06-23)| CezannePI-FP6 1.0.0.4(2021-08-25)| N/A

CVE-2021-26391| N/A| N/A| RenoirPI-FP6 1.0.0.7 ComboAM4v2 PI 1.2.0.5(2021-11-20)| CezannePI-FP6 1.0.0.6(2021-11-20)| CezannePI-FP6 1.0.0.6(2021-11-20)| N/A
CVE-2021-26392| Raven-FP5-AM4 1.1.0.FPinnaclePI-AM4 1.0.0.D ComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)| PicassoPI-FP5 1.0.0.E ComboAM4PI 1.0.0.9 ComboAM4v2 PI 1.2.0.8(2022-07-27)| RenoirPI-FP6 1.0.0.8 ComboAM4v2 PI 1.2.0.6(2022-01-19)| CezannePI-FP6 1.0.0.9(2022-02-18)| CezannePI-FP6 1.0.0.9(2022-02-18)| N/A)
CVE-2021-26393| Raven-FP5-AM4 1.1.0.EPinnaclePI-AM4 1.0.0.C (RV1) ComboAM4PI 1.0.0.8/ComboAM4v2 PI 1.2.0.6c(2022-02-28)| PicassoPI-FP5 1.0.0.DComboAM4PI 1.0.0.8ComboAM4v2 PI 1.2.0.6c(2022-02-28)| RenoirPI-FP6 1.0.0.8 ComboAM4v2 PI 1.2.0.6(2022-01-19)| CezannePI-FP6 1.0.0.9(2022-02-18)| CezannePI-FP6 1.0.0.9(2022-02-18)| N/A
CVE-2021-26360| N/A| N/A| N/A| N/A| N/A| N/A

Mitigation

AMD recommends updating the AMD Graphics Driver to the version recommended for your product below. Please refer to your Original Equipment Manufacturer (OEM) for the driver update specific to your product.