Bug 2488364

Summary: CVE-2026-0438 linux-firmware: Arbitrary code execution in System Management Mode [fedora-all]
Product: [Fedora] Fedora Reporter: Michalis Papadopoullos <mpapadop>
Component: linux-firmwareAssignee: David Woodhouse <dwmw2>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dvlasenk, dwmw2, evgsyr, jforbes, jwboyer, kernel-maint, pbrobinson
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---Flags: pbrobinson: needinfo? (mpapadop)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["ef50dbdc-062e-4095-bf20-94dfb87305b0"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-06-12 21:21:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michalis Papadopoullos 2026-06-12 14:38:18 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Eugene Syromyatnikov 2026-06-12 20:57:09 UTC
AMD x86 CPU microcode is maintained as part of the linux-firmware package, reassigning.

Comment 2 Peter Robinson 2026-06-12 21:21:18 UTC
Another pointless zero research bug from RH security (why do people pay for this exactly). This isn't a CPU patchable firmware and hence isn't dealt with by linux kernel applyable firmware AT ALL. It has to be provided by a early boot vendor firmware.

PLEASE red hat security please do some BASIC research for your bugs, at least for your paid customers!