CVE-2021-26384
📋 TL;DR
CVE-2021-26384 is an AMD CPU vulnerability where a malformed System Management Interface (SMI) command can corrupt SMI Trigger Info data structures, potentially causing out-of-bounds memory reads/writes. This could lead to system instability, denial of service, or potentially arbitrary code execution in privileged SMM context. Affects systems with vulnerable AMD processors.
💻 Affected Systems
- AMD EPYC 7002 Series Processors
- AMD EPYC 7003 Series Processors
- AMD Ryzen 5000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker could execute arbitrary code in System Management Mode (SMM), bypassing OS security controls to gain persistent firmware-level access, install rootkits, or cause permanent hardware damage.
Likely Case
System crashes, instability, or denial of service due to memory corruption in SMM handlers. Potential for privilege escalation if combined with other vulnerabilities.
If Mitigated
Limited to denial of service or system instability if proper SMM isolation and memory protections are in place.
🎯 Exploit Status
Exploitation requires local code execution and deep knowledge of SMM internals. No public exploits available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: AMD microcode updates (AGESA versions with fixes)
Vendor Advisory: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027
Restart Required: Yes
Instructions:
1. Check with system/motherboard manufacturer for BIOS/UEFI updates. 2. Apply BIOS/UEFI firmware update containing AMD microcode patch. 3. Reboot system to activate new microcode.
🔧 Temporary Workarounds
Restrict SMI access
allLimit access to SMI triggers through BIOS/UEFI settings if available
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local code execution
- Monitor systems for unexpected crashes or SMI-related anomalies
🔍 How to Verify
Check if Vulnerable:
Check CPU microcode version via 'cat /proc/cpuinfo | grep microcode' on Linux or use CPU-Z on Windows. Compare against patched versions from manufacturer.Check Version:
Linux: 'sudo dmidecode -t bios' or 'cat /sys/devices/system/cpu/microcode/version'. Windows: 'wmic bios get smbiosbiosversion'Verify Fix Applied:
Verify BIOS/UEFI version contains updated AMD microcode. Check system logs for successful microcode update during boot.📡 Detection & Monitoring
Log Indicators:
- Unexpected system crashes
- SMI handler errors in firmware logs
- Microcode update failures
Network Indicators:
- None - local vulnerability only
SIEM Query:
Search for: 'Event ID 6008' (unexpected shutdown) on Windows or kernel panic/crash logs on Linux