Bug 2241909 (CVE-2023-20598) - CVE-2023-20598 hw: amd: AMD Radeon Graphics Kernel Driver Privilege Management Vulnerability
Summary: CVE-2023-20598 hw: amd: AMD Radeon Graphics Kernel Driver Privilege Managemen...
Keywords:
Status: NEW
Alias: CVE-2023-20598
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2241225
TreeView+ depends on / blocked
 
Reported: 2023-10-03 11:10 UTC by Rohit Keshri
Modified: 2025-09-06 08:33 UTC (History)
39 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2023-10-03 11:10:02 UTC 
The AMD kernel driver (pdfwkrnl.sys), which is part of the IO device controller (USB-C device)
firmware update utility, is intended to be executed only by a privileged user (i.e., an administrator) on
the target system when updating the AMD RadeonTM Software (Adrenalin Edition and PRO
Edition). However, the improper privilege management vulnerability may allow a low-privileged user
to launch an attack while a privileged user is running the firmware update utility tool because the
firmware update utility requires exposing the IOCTL interface to perform the firmware update process.
During this IOCTL exposure, the low privileged user could potentially gain I/O control of the USB ports
or physical addresses, exploiting the improper privilege management vulnerability

Refer:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6009.html
Note You need to log in before you can comment on or make changes to this bug.