wikiAMD Security Vulnerabilities - May 2026
On May 12th, 2026, AMD published the security bulletins AMD-SB-3030 [1], AMD-SB-4017[2] and AMD-SB-7052[3] with one security vulnerability each. This article includes tables listing measures to address the security vulnerabilities.
Affected systems
AMD Threadripper systems:
- systems with AMD Ryzen Threadripper PRO 3000WX processors
- systems with AMD Ryzen Threadripper 7000 / PRO 7000WX processors
- systems with AMD Ryzen Threadripper 9000 / PRO 9000WX processors
AMD EPYC systems:
- systems with "Zen 4" AMD EPYC 4004 Raphael processors
- systems with "Zen 2" AMD EPYC 7002 Rome processors
- systems with "Zen 3" AMD EPYC 7003 Milan processors
- systems with "Zen 4" AMD EPYC 9004 Genoa and Bergamo & 8004 Siena processors
- systems with "Zen 5" AMD EPYC 9005 Turin processors
Solution
Here is a table listing the relevant CVEs and corrective measures for the respective EPYC generation, if available.
AMD EPYC 4004 Raphael
| Security vulnerability | Risk potential: | AGESA version |
|---|---|---|
| CVE-2024-36315 | 5.7 (medium) | ComboAM5PI_1.0.0.a (2024-09-11)
ComboAM5PI_1.1.0.3c (2024-09-11) ComboAM5PI_1.2.0.3 (2024-09-11) |
AMD EPYC 7002 Rome
| Security vulnerability | Risk potential: | Correction |
|---|---|---|
| CVE-2025-54518 | 7.3 (high) | OS update |
AMD EPYC 7003 Milan:
| Security vulnerability | Risk potential: | AGESA version | TCB‑value for SNP-certification |
|---|---|---|---|
| CVE-2025-61971 | 5.9 (medium) | MilanPI 1.0.0.J (2025-12-15) | TCB[SNP]>=0x1D |
AMD EPYC 8004 Siena:
| Security vulnerability | Risk potential: | AGESA version | Microcode | TCB‑value for SNP-certification |
|---|---|---|---|---|
| CVE-2024-36315 | 5.7 (medium) | GenoaPI 1.0.0.E (2024-12-18) | A2: 0AA00216 | N/A |
| CVE-2025-61971 | 5.9 (medium) | Genoa++_1.0.0.H (2025-12-15) | N/A | TCB[BL]>=0xC |
| CVE-2025-61972 | 8.5 (high) | Genoa++_1.0.0.H (2025-12-15) | N/A | TCB[BL]>=0xC |
AMD EPYC 9004 Genoa:
| Security vulnerability | Risk potential: | AGESA version | Microcode | TCB‑value for SNP-certification |
|---|---|---|---|---|
| CVE-2024-36315 | 5.7 (medium) | GenoaPI 1.0.0.E (2024-12-18) | A2: 0x0AA00219
B1: 0x0A101154 B2: 0x0A10124F |
N/A |
| CVE-2025-61971 | 5.9 (medium) | Genoa++_1.0.0.H (2025-12-15) | N/A | TCB[BL]>=0xC |
| CVE-2025-61972 | 8.5 (high) | Genoa++_1.0.0.H (2025-12-15) | N/A | TCB[BL]>=0xC |
AMD EPYC 9005 Turin / Turin Dense
| Security vulnerability | Risk potential: | AGESA version | TCB‑value for SNP-certification |
|---|---|---|---|
| CVE-2025-61971 | 5.9 (medium) | TurinPI_1.0.0.8 (2025-11-26) | TCB[TEE]>=0x2 |
| CVE-2025-61972 | 8.5 (high) | TurinPI_1.0.0.8 (2025-11-26) | TCB[TEE]>=0x2 |
AMD Ryzen Threadripper PRO 3000WX
| Security vulnerability | Risk potential: | AGESA version |
|---|---|---|
| CVE-2021-46747 | 7.1 (high) | CastlePeakWSPI-sWRX8 1.0.0.9 (2022-01-20)
ChagallWSPI-sWRX8 1.0.0.2 (2022-01-20) |
| CVE-2025-48516 | 6.9 (medium) | no specific plans |
| CVE-2021-26380 | 1.8 (low) | ChagallWSPI-sWRX8 1.0.0.2 (2022-01-20) |
| CVE-2025-54518 | 7.3 (high) | ChagallWSPI-sWRX8-1.0.0.D (11-04-2025)
CastlePeakWSPI-sWRX8 1.0.0.I (10-17-2025) |
AMD Ryzen Threadripper 7000 / PRO 7000WX
| Security vulnerability | Risk potential: | AGESA version |
|---|---|---|
| CVE-2026-0438 | 5.4 (medium) | ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21)
StormPeakPI-SP6 1.0.0.1m (2025-12-01) StormPeakPI-SP6_1.1.0.0k (2025-12-01) |
| CVE-2025-48516 | 6.9 (medium) | ShimadaPeakPI-SP6 1.0.0.1b (2025-08-04) |
| CVE-2024-36345 | 4.6 (medium) | StormPeakPI-SP6 1.1.0.0k (2025-12-01)
StormPeakPI-SP6 1.0.0.1m (2025-12-01) |
| CVE-2024-36343 | 4.6 (medium) | StormPeakPI-SP6 1.1.0.0k (2025-12-01)
StormPeakPI-SP6 1.0.0.1m (2025-12-01) |
AMD Ryzen Threadripper 9000 / PRO 9000WX
| Security vulnerability | Risk potential: | AGESA version |
|---|---|---|
| CVE-2026-0438 | 5.4 (medium) | ShimadaPeakPI-SP6 1.0.0.1c (2025-10-21) |
| CVE-2025-48516 | 6.9 (medium) | ShimadaPeakPI-SP6 1.0.0.1b (2025-08-04) |
Supermicro security bulletins were published for security vulnerabilities. A list with BIOS-versions for the respective mainboards, to close the gaps, is also included. In the following, there is an excerpt from this table, in which all mainboards are listed that are offered by Thomas Krenn: [4]
| AMD motherboard | BIOS version |
|---|---|
| H12SSW-iN/NT | 3.6 |
| H12SSL-i/C/CT/NT | 3.6 |
| H12DSi-N6/NT6 | 3.6 |
| H13SSW | 3.8 |
| H13SSL-N/NC | 3.8 |
Updates for Thomas-Krenn products
Updates on the corresponding system can be found in the download area of Thomas-Krenn. The versions in the download area have been tested to guarantee the stability and compatibility of our systems.
If you require the latest version for your system and it is not yet available in our download area, you can get it at Asus or Supermicro.
References
- ↑ AMD EPYC and AMD EPYC Embedded Series Processor Vulnerabilities – May 2026 (www.amd.com/en/resources/product-security)
- ↑ AMD Athlon, AMD Ryzen, and AMD Ryzen Embedded Series Processor Vulnerabilities – May 2026 (www.amd.com/en/resources/product-security)
- ↑ CPU OP Cache Corruption - May 2026 (www.amd.com/en/resources/product-security)
- ↑ Supermicro Security Center (www.supermicro.com)
 |
Author: Thomas-Krenn.AG At Thomas-Krenn.AG we pay attention to the best possible service. To do justice to this, we have created our Thomas-Krenn Wiki. Here we share our knowledge with you and inform you about basics and news from the IT world. You like our knowledge culture and want to become part of the team? Visit our job offers.
|
 |
Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.
|
