AMD Secure Processor PCI Driver CVE-2025-0045

Q: What is the CVSS score of CVE-2025-0045?

CVE-2025-0045 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2025-209862 MEDIUM

Classic Buffer Overflow (CWE-120)

2026-05-15 AMD

GHSA-jghc-g6xj-rr96

Buffer Overflow Denial Of Service Amd

6.9

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 15, 2026 - 04:16 vuln.today

CVSS changed

May 15, 2026 - 02:22 NVD

6.9 (MEDIUM)

CVE Published

May 15, 2026 - 01:47 nvd

UNKNOWN (no severity yet)

CVE Published

May 15, 2026 - 01:47 nvd

MEDIUM 6.9

DescriptionNVD

Improper Input validation in the AMD Secure Processor (ASP) PCI driver may allow a local attacker to create a buffer overflow condition, potentially resulting in a crash or denial of service

AnalysisAI

Buffer overflow in the AMD Secure Processor (ASP) PCI driver affects dozens of AMD Ryzen, EPYC, and Threadripper processor families across desktop, mobile, and embedded variants. Local attackers with user-level privileges can trigger improper input validation in the driver to cause a crash or denial of service, with potential for integrity impact. The vulnerability requires local access and authenticated user privileges; no active exploitation in the wild has been confirmed, and vendor-released patches are available.

Technical ContextAI

The AMD Secure Processor (ASP) is a dedicated security coprocessor integrated into modern AMD processors (Ryzen, EPYC, Threadripper, Embedded variants). The vulnerability exists in the PCI driver that manages communication between the host CPU and the ASP firmware. CWE-120 (Buffer Copy without Checking Size of Input) indicates the driver fails to properly validate the length of input data before copying it into a fixed-size buffer. This is a classic stack or heap buffer overflow condition. The affected driver component ships as part of the AMD Ryzen Chipset Driver package (PSP driver subsystem) on Windows systems. The root cause involves insufficient bounds checking on untrusted input from user-mode applications accessing the ASP PCI device interface.

RemediationAI

Install AMD Ryzen Chipset Driver version 7.02.13.148 or later with PSP driver version 5.38.0.0 or later, available from AMD's product security bulletins AMD-SB-4015 and AMD-SB-3047. Embedded processor users should update to the Q2-2025 or later certified Catalyst WHQL drivers as specified in EUVD-2025-209862 for their respective series (R2000/V2000, 7000/8000/9000). On systems requiring extended support periods, restrict user-level access to the ASP PCI device interface via OS access control lists or device permission policies until the chipset driver can be updated; this mitigates exploitation risk from unprivileged users but does not prevent attacks by administrators or kernel-level code. Windows Update may distribute these patches automatically on consumer systems; verify installation on enterprise endpoints using SCCM, Intune, or local version reporting tools. No workaround prevents exploitation for authenticated users short of driver update.