Skip to main content

AMD Platform Management Framework CVE-2025-48520

| EUVDEUVD-2025-209865 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-15 AMD GHSA-mcj8-g2g4-fg5g
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 04:16 vuln.today
CVSS changed
May 15, 2026 - 02:22 NVD
6.9 (MEDIUM)
CVE Published
May 15, 2026 - 01:51 nvd
UNKNOWN (no severity yet)
CVE Published
May 15, 2026 - 01:51 nvd
MEDIUM 6.9

DescriptionCVE.org

An improper input validation vulnerability within the AMD Platform Management Framework (PMF) driver can allow a local attacker to read Out-of-Bounds potentially resulting in information disclosure or a crash

AnalysisAI

Improper input validation in the AMD Platform Management Framework (PMF) driver allows local authenticated attackers to read out-of-bounds memory, resulting in information disclosure or denial of service. The vulnerability affects multiple Ryzen processor families (7035, 7040, 8040, 6000 series, and Embedded 8000) and requires local access with limited privileges to exploit.

Technical ContextAI

The AMD Platform Management Framework is a firmware/driver component responsible for managing power, thermal, and other platform settings on AMD Ryzen processors. CWE-125 (Out-of-Bounds Read) indicates the vulnerability stems from improper validation of user-supplied input before memory access operations. The flaw likely exists in an ioctl handler or memory-mapped interface exposed by the PMF driver, where an attacker can craft malicious requests to cause the driver to read memory regions outside intended boundaries. This is distinct from a write vulnerability - the attacker cannot modify kernel memory but can exfiltrate sensitive data from adjacent memory regions.

RemediationAI

Update AMD Platform Management Framework to version 7.06.02.123 or later. For AMD Ryzen Embedded 8000 Series, apply the patched amd_chipset_software_7.06.02.123.exe. For other Ryzen families, retrieve the chipset driver package from AMD's support website that includes PMF version 7.06.02.123 and install according to AMD's guidance. If immediate patching is not possible, restrict local user access to the system or disable non-essential local accounts; however, this is a partial mitigation only, as the vulnerability requires low privileges (authenticated local user). No workarounds are documented in the advisory to disable the vulnerable PMF feature without breaking platform functionality. Prioritize patching for multi-user systems and systems that handle sensitive data accessible to kernel memory.

More in Amd

View all
CVE-2021-22986 CRITICAL POC
9.8 Mar 31

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.

CVE-2020-6103 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6102 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6101 CRITICAL POC
9.9 Jul 20

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.

CVE-2020-6100 CRITICAL POC
9.9 Jul 20

An exploitable memory corruption vulnerability exists in AMD atidxx64.dll 26.20.15019.19000 graphics driver. Rated criti

CVE-2018-6546 CRITICAL POC
9.8 Apr 13

plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming

CVE-2021-3653 HIGH POC
8.8 Sep 29

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. Rated high severity (CVSS 8.8), this vu

CVE-2020-12138 HIGH POC
8.8 Apr 27

AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact directly with physical memory by calling one of se

CVE-2019-5098 HIGH POC
8.6 Dec 05

An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. Rated high

CVE-2015-7724 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.9 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2015-7723 HIGH POC
7.8 Jun 07

AMD fglrx-driver before 15.7 allows local users to gain privileges via a symlink attack. Rated high severity (CVSS 7.8),

CVE-2023-1048 HIGH POC
7.8 Feb 26

A vulnerability, which was classified as critical, has been found in TechPowerUp Ryzen DRAM Calculator 1.2.0.5.sys. Rate

Share

CVE-2025-48520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy