AMD GPU Driver Heap Overflow (CVE-2024-36342): Brief Summary and Patch Guidance

This post provides a brief summary of CVE-2024-36342, a heap overflow vulnerability in AMD GPU drivers affecting a wide range of products. It covers technical details, affected versions, and official patch information.
CVE Analysis

9 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-06

AMD GPU Driver Heap Overflow (CVE-2024-36342): Brief Summary and Patch Guidance
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Privilege escalation and arbitrary code execution are possible on a wide range of AMD-based systems due to a heap overflow in the GPU driver. This vulnerability has direct impact on data center accelerators, consumer graphics cards, and embedded processors, affecting both enterprise and end user environments. AMD’s GPU and APU product lines are widely used in AI, high-performance computing, gaming, and embedded systems, making this issue relevant across the global technology landscape.

Technical Information

CVE-2024-36342 is a heap overflow vulnerability in AMD GPU drivers, rooted in improper input validation (CWE-20) within the kernel-mode driver layer. The flaw is present in code that processes user-supplied data from user space to kernel space. When the driver allocates heap memory for this data, it does not sufficiently validate the size or structure of the input. As a result, a crafted input can overflow the allocated buffer, overwriting adjacent kernel heap memory. This can corrupt control structures or function pointers, potentially allowing arbitrary code execution with kernel privileges.

The vulnerability is exploitable via local access with low privileges and does not require user interaction. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating a local attack vector, low complexity, low privileges required, no user interaction, changed scope, and high impact on confidentiality, integrity, and availability. The vulnerability is present in the kernel-mode driver, which is responsible for managing communication between user applications and GPU hardware. No public code snippets or vulnerable code details are available.

Patch Information

To address the identified vulnerabilities in AMD Embedded processors, AMD has released updated Platform Initialization (PI) firmware packages. These updates are designed to mitigate specific security issues by enhancing input validation, improving memory management, and strengthening access controls within the firmware.

For instance, to remediate CVE-2024-36354, which involves improper input validation in the boot loader, AMD has provided the following firmware updates:

  • AMD EPYC Embedded 3000 Series Processors: Updated to SnowyOwl PI 1.1.0.F, released on April 30, 2025.
  • AMD EPYC Embedded 7002 Series Processors: Updated to EmbRomePI-SP3 1.0.0.E, released on April 14, 2025.
  • AMD EPYC Embedded 7003 Series Processors: Updated to EmbMilanPI-SP3 1.0.0.A, released on December 24, 2024.

These firmware updates incorporate enhanced input validation mechanisms to prevent potential exploitation of the boot loader.

Similarly, to address CVE-2024-21977, which pertains to incomplete cleanup after loading a CPU microcode patch, AMD has released the following updates:

  • AMD EPYC Embedded 7003 Series Processors: Updated to EmbMilanPI-SP3 1.0.0.9, released on October 31, 2024.
  • AMD EPYC Embedded 900 Series Processors: Updated to EmbGenoaPI-SP5 1.0.0.9, released on December 27, 2024.

These updates ensure proper cleanup processes are in place after loading CPU microcode patches, thereby maintaining the integrity of the RDRAND instruction and preventing potential degradation of entropy.

AMD strongly recommends that users and system administrators promptly apply these firmware updates to ensure systems are protected against these vulnerabilities. Detailed information on the specific firmware versions and their release dates can be found in AMD's security bulletin.

For comprehensive details on all affected products and corresponding mitigations, please refer to the official AMD security bulletin: AMD Embedded Vulnerabilities – August 2025.

Affected Systems and Versions

CVE-2024-36342 affects a wide range of AMD GPU and APU products, including:

  • AMD Instinct MI210, MI250, MI300A, MI300X, MI308X, MI325X (data center accelerators)
  • Radeon RX 7000 series (consumer graphics)
  • Radeon Pro W7000 series, Radeon Pro V710 (professional graphics)
  • AMD Ryzen 4000, 5000, 6000, 7000, 7040 series processors with integrated Radeon graphics
  • AMD Embedded processors (see patch section for specific firmware updates)
  • Dell PowerEdge XE9680 servers with AMD GPUs (see Dell advisory for details)

For embedded processors, refer to the patch section for exact firmware version numbers and release dates. For data center and workstation GPUs, update to ROCm 6.4 or later. For consumer and professional graphics cards, install the latest AMD graphics drivers as distributed by AMD. For Dell PowerEdge servers, apply the firmware and software updates specified in Dell security advisory DSA-2025-322.

Vendor Security History

AMD has a history of addressing security vulnerabilities across its product portfolio. Previous issues include speculative execution vulnerabilities (e.g., Spectre variants), trusted execution environment flaws (e.g., CVE-2021-26383), and driver-related bugs. AMD typically responds with detailed advisories, coordinated patch releases, and collaboration with ecosystem partners. The company maintains product-specific security bulletins and provides timely updates for affected products.

References

Detect & fix
what others miss