CVE-2021-46766: 
Linux openSUSE vulnerability analysis and mitigation

CVE-2021-46766 is a security vulnerability affecting AMD EPYC processors and their ASP Bootloader component. The vulnerability was discovered and assigned on March 31, 2022, and publicly disclosed on November 14, 2023. The issue affects multiple AMD EPYC processor models and their firmware versions prior to genoapi1.0.0.4, as well as several Ryzen Threadripper Pro processors with firmware versions before chagallwspi-swrx81.0.0.5 (NVD).

The vulnerability stems from improper clearing of sensitive data in the ASP Bootloader, which could potentially expose secret keys to privileged attackers who can access ASP SRAM. The vulnerability has received varying CVSS severity ratings, with NIST assigning a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, while AMD assessed it at 2.5 (Low) with vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N. The vulnerability is classified under CWE-459 (Incomplete Cleanup) (NVD).

The primary impact of this vulnerability is the potential loss of confidentiality through exposure of secret keys. The vulnerability specifically affects the confidentiality aspect of security, with no direct impact on system integrity or availability (NVD).

AMD has addressed this vulnerability through firmware updates. For EPYC processors, the fix is included in firmware version genoapi1.0.0.4 and later, while Ryzen Threadripper Pro processors are patched in firmware version chagallwspi-swrx81.0.0.5 and later (AMD SB-3002).