CVE-2024-36355: SMM Handler RCE Vulnerability

CVE-2024-36355 Overview

CVE-2024-36355 is a BIOS/UEFI vulnerability affecting AMD processors where improper input validation in the System Management Mode (SMM) handler allows an attacker with Ring0 (kernel-level) access to write to System Management RAM (SMRAM). This flaw enables modification of execution flow during S3 (sleep) wake up, potentially resulting in arbitrary code execution at the highest system privilege level.

Critical Impact

Attackers with kernel-level access can leverage this vulnerability to write to protected SMRAM memory, enabling persistent arbitrary code execution that survives system sleep states and potentially compromises the firmware security boundary.

Affected Products

• AMD Processors with affected AGESA firmware (see AMD Security Bulletin SB-3023)
• AMD Processors with affected AGESA firmware (see AMD Security Bulletin SB-4013)
• Systems utilizing vulnerable SMM handler implementations

Discovery Timeline

• 2026-02-10 - CVE-2024-36355 published to NVD
• 2026-02-12 - Last updated in NVD database

Technical Details for CVE-2024-36355

Vulnerability Analysis

This vulnerability is classified as CWE-787 (Out-of-Bounds Write), occurring within the System Management Mode handler responsible for managing low-level hardware operations. The SMM operates in a highly privileged execution environment that is normally isolated from the operating system and hypervisor layers. When the input validation in the SMM handler fails to properly sanitize data, an attacker who has already achieved Ring0 (kernel) access can craft malicious input that bypasses boundary checks and writes directly to SMRAM.

The attack specifically targets the S3 sleep wake-up pathway, where the SMM handler restores system state. By corrupting the execution flow data stored in SMRAM, an attacker can redirect code execution to attacker-controlled memory regions when the system resumes from sleep, achieving persistent code execution below the operating system level.

Root Cause

The root cause is improper input validation in the SMM handler that processes data during S3 wake-up operations. The handler fails to adequately validate boundaries or sanitize input parameters before writing to SMRAM, creating an out-of-bounds write condition. This allows an attacker with sufficient privileges to inject malicious data into protected memory regions that should be inaccessible even to kernel-level code.

Attack Vector

The attack requires local access with Ring0 (kernel) privileges as a prerequisite. An attacker must first compromise the operating system kernel through another vulnerability or via malicious driver installation. Once kernel-level access is achieved, the attacker can invoke the vulnerable SMM handler with crafted input data designed to exploit the improper validation. The malicious write to SMRAM modifies the S3 resume execution path, and upon the next system wake from sleep, the corrupted execution flow redirects to attacker-controlled code, achieving persistent firmware-level compromise.

The vulnerability mechanism involves crafting malicious input to the SMM handler that exploits insufficient boundary checking. When the system enters S3 sleep mode and subsequently wakes, the corrupted SMRAM data causes execution to flow to attacker-controlled code. For detailed technical information, refer to AMD Security Bulletin SB-3023 and AMD Security Bulletin SB-4013.

Detection Methods for CVE-2024-36355

Indicators of Compromise

• Unexpected modifications to SMRAM memory regions during runtime analysis
• Anomalous SMM handler invocations with unusual parameter values
• System instability or unexpected behavior following S3 sleep/wake cycles
• Evidence of unauthorized kernel-level driver installations that may be used to gain Ring0 access

Detection Strategies

• Deploy firmware integrity monitoring solutions to detect unauthorized SMRAM modifications
• Implement kernel driver signing enforcement to prevent unauthorized Ring0 access
• Monitor SMI (System Management Interrupt) activity for anomalous patterns
• Utilize hardware-based memory protection features where available to detect boundary violations

Monitoring Recommendations

• Enable Secure Boot and verify firmware integrity at each boot cycle
• Implement continuous monitoring of kernel driver loads and Ring0 code execution
• Log and alert on S3 sleep/wake events with associated firmware validation checks
• Deploy endpoint detection solutions capable of monitoring low-level system calls and SMI triggers

How to Mitigate CVE-2024-36355

Immediate Actions Required

• Apply the latest BIOS/UEFI firmware updates from system OEMs that incorporate patched AGESA versions
• Review and validate all installed kernel drivers to ensure no unauthorized Ring0 code is present
• Enable Secure Boot and configure strict driver signing policies
• Limit administrative access to systems to reduce the attack surface for gaining initial Ring0 access

Patch Information

AMD has released security advisories addressing this vulnerability. System administrators should consult their OEM for BIOS updates containing the remediated AGESA firmware versions. Refer to AMD Security Bulletin SB-3023 and AMD Security Bulletin SB-4013 for specific version information and affected product details.

Workarounds

• Disable S3 sleep mode in BIOS settings where operationally feasible to eliminate the specific attack pathway
• Implement strict kernel-mode code signing requirements to prevent unauthorized Ring0 access
• Enable hardware-based memory protection features such as Intel BIOS Guard or AMD Hardware Validated Boot where available
• Restrict physical access to systems and implement tamper detection mechanisms

# Example: Disable S3 sleep mode on Linux systems as a temporary workaround
# Check current sleep states
cat /sys/power/state

# Disable S3 sleep via kernel parameter (add to GRUB configuration)
# Edit /etc/default/grub and add to GRUB_CMDLINE_LINUX:
# mem_sleep_default=s2idle

# Update GRUB configuration
sudo update-grub
sudo reboot