CVE-2025-29935 Overview
CVE-2025-29935 is an out-of-bounds write vulnerability [CWE-787] in the AMD Platform Management Framework (PMF). The flaw resides in a kernel-mode component responsible for power, thermal, and system management policy enforcement on AMD-based platforms. An authenticated local attacker can write outside the bounds of an allocated buffer, corrupting adjacent kernel memory. Successful exploitation enables arbitrary code execution at an elevated privilege level. The result is full compromise of confidentiality, integrity, and availability on the affected host.
Critical Impact
Local privilege escalation to kernel-level code execution on systems running the AMD Platform Management Framework driver.
Affected Products
- AMD Platform Management Framework (PMF) — see AMD Security Bulletin #4015 for the specific affected processor families and driver versions
- AMD client platforms shipping the PMF driver stack
- OEM systems integrating the AMD PMF runtime components
Discovery Timeline
- 2026-05-15 - CVE-2025-29935 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2025-29935
Vulnerability Analysis
The AMD Platform Management Framework is a software stack that coordinates power, thermal, and performance decisions between firmware, the operating system, and applications. PMF exposes interfaces that user-mode components can invoke to query telemetry and submit policy requests. The vulnerability is classified as an out-of-bounds write [CWE-787], indicating that the PMF code writes data past the end of an allocated buffer. Because PMF executes within a privileged context, memory corruption translates directly into elevated code execution on the host.
Root Cause
The root cause is missing or inadequate bounds checking when PMF processes attacker-controlled input through one of its IOCTL or management interfaces. When the size or offset of input data is not validated against the destination buffer, the driver writes beyond the allocated region. Adjacent kernel objects, function pointers, or control structures can then be overwritten with attacker-supplied values. AMD has not published the specific affected function in public advisory text; refer to AMD Security Bulletin #4015 for vendor detail.
Attack Vector
Exploitation requires local access and low-level privileges on the target system. An attacker with the ability to run code as a standard user invokes the vulnerable PMF interface with crafted parameters. The malformed request triggers the out-of-bounds write, corrupting kernel memory in a controlled manner. The attacker then pivots from memory corruption to arbitrary code execution at the privilege level of the PMF component. No user interaction is required beyond initial code execution on the host.
No public proof-of-concept code has been verified for this vulnerability. Refer to the AMD Security Bulletin #4015 for technical detail.
Detection Methods for CVE-2025-29935
Indicators of Compromise
- Unexpected loading or interaction with the AMD PMF driver from non-system processes or unsigned binaries
- Kernel bug checks or system crashes referencing the PMF driver module
- New or modified scheduled tasks, services, or drivers created shortly after PMF interaction
- Privilege escalation events where a standard user process spawns a SYSTEM or kernel-context child
Detection Strategies
- Inventory endpoints to identify systems with the AMD PMF driver installed and compare against patched versions listed in AMD Security Bulletin #4015
- Monitor for processes opening handles to PMF device objects followed by anomalous IOCTL traffic
- Correlate kernel crash telemetry with preceding user-mode process activity to identify potential exploitation attempts
- Track integrity-level transitions where a medium-integrity process is followed by SYSTEM-level activity in the same session
Monitoring Recommendations
- Enable kernel-mode driver load auditing and forward events to a centralized log platform
- Capture and retain Windows Error Reporting (WER) crash dumps for offline triage of PMF-related faults
- Baseline normal PMF driver activity per platform model to surface deviations
- Alert on driver version mismatches between deployed endpoints and the AMD-approved patched baseline
How to Mitigate CVE-2025-29935
Immediate Actions Required
- Apply the AMD PMF driver and firmware updates referenced in AMD Security Bulletin #4015 as soon as OEM-validated builds are available
- Restrict local logon and code execution rights to trusted administrators on systems where patching is delayed
- Audit installed driver versions across the AMD-based fleet and prioritize systems running outdated PMF builds
- Enable Hypervisor-Protected Code Integrity (HVCI) and Memory Integrity on supported Windows hosts to constrain kernel exploitation primitives
Patch Information
AMD has published guidance in AMD Security Bulletin #4015. Customers should obtain the updated PMF driver through their OEM update channel (for example, Lenovo Vantage, HP Image Assistant, ASUS MyASUS, or Windows Update) rather than installing generic AMD packages, because PMF builds are tuned per platform.
Workarounds
- Disable or unload the AMD PMF driver on systems that do not require dynamic power and thermal policy management, accepting the loss of PMF features
- Apply application control policies (for example, Windows Defender Application Control) to block unauthorized processes from issuing IOCTLs to the PMF device
- Limit administrative tooling and developer utilities on production endpoints to reduce the population of users capable of triggering the local attack path
# Example: query the installed AMD PMF driver version on Windows
pnputil /enum-drivers | findstr /i "AMDPMF amdpmf"
# Example: query loaded kernel modules for AMD PMF
driverquery /v | findstr /i "AMDPMF"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
