Preface: SPD (Serial Presence Detect) metadata is not used by CPU or GPU manufacturers for the processors themselves, but it is an industry-standard requirement for the memory modules (RAM) that these processors depend on.

Background: DIMM Serial Presence Detect (SPD) protects Ring 0 by ensuring the BIOS/UEFI correctly identifies memory characteristics (timings, voltage, size) during POST. By providing accurate data, it prevents misconfiguration that could lead to memory corruption, stability issues, or exploitation of low-level system management mode (SMM). Properly locked SPD protects against malicious tampering that could bypass memory protections.

Ref: AMD EPYC “Genoa” is the codename for AMD’s 4th generation server processors, built on the Zen 4 microarchitecture and using a 5nm manufacturing process. Compared to its predecessor, Milan, Genoa increases the maximum core count to 96 and is the first to introduce DDR5 memory and PCIe 5.0 support, targeting the data center, cloud computing, and high-performance computing (HPC) markets.

Vulnerability details: CVE-2024-36354 Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to bypass SMM isolation potentially resulting in arbitrary code execution at the SMM level.

Additional: This is not a substitute for the vendor fix. If the vulnerable code is inside proprietary AGESA/PI binaries, you still need the patched package. So the core issue is validation logic inside the firmware boot flow handling SPD data.

Official announcement: Please refer to the link for more details –

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3014.html