CVE-2023-31317: AMD Secure Processor RCE Vulnerability

CVE-2023-31317 Overview

CVE-2023-31317 is a memory corruption vulnerability in the AMD Secure Processor (ASP), the dedicated security subsystem embedded within AMD CPUs. The flaw stems from improper restriction of operations within the bounds of a memory buffer [CWE-119]. An attacker with local, low-privileged access can read or write to protected memory regions managed by the ASP. Successful exploitation can lead to arbitrary code execution within a privileged trust boundary, undermining the platform security guarantees that depend on the ASP. AMD documented the issue in AMD Security Bulletin #6027.

Critical Impact

Exploitation grants read and write access to memory protected by the AMD Secure Processor, enabling arbitrary code execution within the platform's root of trust.

Affected Products

• AMD Secure Processor (ASP) firmware components covered by AMD Security Bulletin #6027
• AMD processor platforms relying on the ASP for platform security functions
• Refer to the vendor advisory for the complete list of impacted CPU families and firmware versions

Discovery Timeline

• 2026-05-15 - CVE-2023-31317 published to NVD
• 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2023-31317

Vulnerability Analysis

The AMD Secure Processor is an ARM-based coprocessor that handles cryptographic operations, secure boot, and memory isolation primitives such as AMD Secure Encrypted Virtualization (SEV). It executes in a privilege domain above the main CPU cores and the operating system. A memory buffer boundary flaw inside this trust domain allows operations to reach memory the ASP is responsible for protecting. Because the ASP enforces hardware-rooted security policies, any code executed in this context inherits trust that the operating system cannot revoke. The attack vector is local, and the attacker must already hold low-level privileges on the host. Exploitation requires high attack complexity, reflecting the technical depth needed to manipulate ASP-bound buffers reliably.

Root Cause

The root cause is improper enforcement of buffer bounds within ASP-handled operations, mapped to [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). When the ASP processes attacker-influenced input, it fails to validate the size or offset of memory accesses against the allocated buffer. This permits out-of-bounds reads and writes against memory regions the ASP is supposed to isolate. The flaw resides in firmware-level logic, not in operating system code, so traditional OS protections do not contain it.

Attack Vector

An attacker with local access and low privileges on an affected system issues crafted requests or data structures that the ASP processes. By controlling input that drives buffer-relative operations, the attacker forces the ASP to read or write outside the intended boundaries. Successful manipulation overwrites protected memory and can redirect execution flow inside the ASP context. The end result is arbitrary code execution within the secure processor, bypassing protections that depend on ASP integrity. Detailed exploitation specifics are described in the AMD Security Bulletin #6027.

No public proof-of-concept code has been released for this vulnerability. Refer to the AMD advisory for technical specifics.

Detection Methods for CVE-2023-31317

Indicators of Compromise

• No public indicators of compromise have been published for CVE-2023-31317.
• Compromise of the AMD Secure Processor typically leaves minimal artifacts in operating system logs because the ASP operates below the OS trust boundary.
• Unexpected firmware version mismatches between reported and installed ASP firmware can suggest tampering.

Detection Strategies

• Inventory ASP firmware versions across the fleet and compare them against the fixed versions referenced in AMD Security Bulletin #6027.
• Monitor for local privilege escalation activity and unauthorized access to platform management interfaces that interact with the ASP.
• Correlate kernel-level driver loads and signed-driver anomalies that could precede an attempt to interact with ASP-exposed interfaces.

Monitoring Recommendations

• Enable platform attestation features where available and alert on attestation failures or unexpected measurement changes.
• Log and review firmware update events, secure boot state transitions, and SEV-related operations on affected hosts.
• Track local logon events with elevated privileges on systems exposing ASP-adjacent management tooling.

How to Mitigate CVE-2023-31317

Immediate Actions Required

• Identify all AMD-based systems in scope and cross-reference them with the affected platforms listed in AMD Security Bulletin #6027.
• Apply the AGESA or platform firmware updates supplied by your system or motherboard vendor as soon as they are validated.
• Restrict local access to affected systems and enforce least-privilege policies for accounts that can interact with low-level platform interfaces.

Patch Information

AMD has published fixed firmware through AMD Security Bulletin #6027. Platform vendors (OEMs and motherboard manufacturers) integrate the fix into BIOS/UEFI updates that include the updated AGESA and ASP firmware. Administrators should obtain firmware updates from the system vendor for their specific platform and validate the ASP firmware version after deployment. See AMD Security Bulletin #6027 for vendor guidance.

Workarounds

• No software-only workaround eliminates the underlying firmware flaw; only the vendor firmware update resolves CVE-2023-31317.
• Reduce risk by minimizing local privileged access, removing unnecessary local accounts, and enforcing strong authentication on affected hosts.
• For confidential computing workloads relying on AMD SEV, defer trust decisions until updated firmware is deployed and attestation confirms the patched ASP version.

# Verify processor and firmware information on Linux to support patch tracking
cat /proc/cpuinfo | grep -E 'model name|microcode' | head -n 2
dmesg | grep -iE 'ccp|psp|amd_sev'
sudo dmidecode -t bios | grep -E 'Version|Release Date'