Vulnerability in Amd Epyc™ 7003 Series Processors
CVE-2024-21977
Incomplete cleanup after loading a CPU microcode patch may allow a privileged attacker to degrade the entropy of the RDRAND instruction, potentially resulting in loss of integrity for SEV-SNP guests.
EPSS: 0.000 (7.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 3.2 (Low). Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N.
Affected products
- Amd Epyc™ 7003 Series Processors — versions MilanPI 1.0.0.D
- Amd Epyc™ 8004 Series Processors — versions GenoaPI 1.0.0.C
- Amd Epyc™ 9004 Series Processors — versions GenoaPI 1.0.0.C
- Amd Epyc™ Embedded 7003 Series Processors — versions EmbMilanPI-SP3 1.0.0.9
- Amd Epyc™ Embedded 9004 Series Processors — versions EmbGenoaPI-SP5 1.0.0.9
- Amd Ryzen™ 5000 Series Desktop Processors — versions ComboAM4v2 1.2.0.Cb
- Amd Ryzen™ 5000 Series Mobile Processors With Radeon™ Graphics — versions CezannePI-FP6_1.0.1.1
- Amd Ryzen™ 6000 Series Processors With Radeon™ Graphics — versions RembrandtPI-FP7/FP7r2_1.0.0.B
- Amd Ryzen™ 7000 Series Desktop Processors — versions ComboAM5 1.2.0.1
- Amd Ryzen™ 7030 Series Mobile Processors With Radeon™ Graphics — versions CezannePI-FP6_1.0.1.1
Weakness classification (CWE)
Public proof-of-concept exploits
References
Frequently asked questions
- What is CVE-2024-21977?
- CVE-2024-21977 is a low-severity vulnerability in Amd Epyc™ 7003 Series Processors, classified under Incomplete Cleanup. CVSS score: 3.2/10. Published 2025-09-05.
- How severe is CVE-2024-21977?
- Low severity. CVSS v3 base score is 3.2 out of 10.
- Is CVE-2024-21977 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.