We use cookies to improve your experience on our site.
AVID-2026-R1420
Description
Vulnerability CVE-2024-21974
Details
Improper input validation in the NPU driver could allow an attacker to supply a specially crafted pointer potentially leading to arbitrary code execution.
Reason for inclusion in AVID: CVE-2024-21974 describes a vulnerability in AMD’s NPU driver within Ryzen AI Software that could lead to arbitrary code execution via crafted input. This concerns AI software stack components (drivers used to accelerate AI workloads) and represents a security vulnerability with potential impact on general-purpose AI systems, fitting within the software supply chain domain for AI pipelines. The report includes CVE, impact, and references, providing sufficient signal for classification.
References
Affected or Relevant Artifacts
- Developer: AMD
- Deployer: AMD
- Artifact Details:
| Type | Name |
|---|---|
| System | AMD Ryzen™ AI Software |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Base Score | 8.8 |
| Base Severity | 🔴 High |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-20 | CWE-20 Improper Input Validation |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-11-12
- Version: 0.3.3
- AVID Entry