Security Bulletin, December 2025

Giga Computing Technology Co., Ltd. acknowledges the security vulnerabilities affecting GIGABYTE’s enterprise products. The affected platforms are listed below.

^[1] XV23-ZX0 does not follow the AMD EPYC 9005/9004 Series Processors BIOS release schedule, please contact our sales team for further information on the BIOS release plan.

The vulnerabilities are listed below. Updated BIOS versions to address the threats will be available on all affected product pages.

Common Vulnerabilities or Exposures (CVEID): CVE-2025-20077

Severity Rating: Medium

Description: Missing release of memory after effective lifetime in the UEFI OobRasMmbiHandlerDriver module for some Intel(R) reference server platforms may allow a privileged user to enable denial of service via local access.

Common Vulnerabilities or Exposures (CVEID): CVE-2025-3770

Severity Rating: High

Description: EDK2 contains a vulnerability in BIOS where an attacker may cause “Protection Mechanism Failure” by local access. Successful exploitation of this vulnerability will lead to arbitrary code execution and impact Confidentiality, Integrity, and Availability.

Common Vulnerabilities or Exposures (CVEID): CVE-2025-29934

Severity Rating: Medium

Description: A bug within some AMD CPUs could allow a local admin-privileged attacker to run a SEV-SNP guest using stale TLB entries, potentially resulting in loss of data integrity.

Common Vulnerabilities or Exposures (CVEID): CVE-2025-30185

Severity Rating: High

Description: Active debug code for some Intel UEFI reference platforms within Ring 0: Kernel may allow a denial of service and escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable data alteration. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (high) and availability (high) impacts.

Common Vulnerabilities or Exposures (CVEID): CVE-2025-0033

Severity Rating: Medium

Description: Improper access control within AMD SEV-SNP could allow an admin privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity.

Common Vulnerabilities or Exposures (CVEID): CVE-2023-31351

Severity Rating: Medium

Description: Improper restriction of operations in the IOMMU could allow a malicious hypervisor to access guest private memory resulting in loss of integrity.

Common Vulnerabilities or Exposures (CVEID): CVE-2025-0032

Severity Rating: High

Description: Improper cleanup in AMD CPU microcode patch loading could allow an attacker with local administrator privilege to load malicious CPU microcode, potentially resulting in loss of integrity of x86 instruction execution.

Common Vulnerabilities or Exposures (CVEID): CVE-2024-36354

Severity Rating: High

Description: Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to bypass SMM isolation potentially resulting in arbitrary code execution at the SMM level.

Common Vulnerabilities or Exposures (CVEID): CVE-2024-36331

Severity Rating: Low

Description: Improper initialization of CPU cache memory could allow a privileged attacker with hypervisor access to overwrite SEV-SNP guest memory resulting in loss of data integrity.

Common Vulnerabilities or Exposures (CVEID): CVE-2024-21977

Severity Rating: Low

Description: Incomplete cleanup after loading a CPU microcode patch may allow a privileged attacker to degrade the entropy of the RDRAND instruction, potentially resulting in loss of integrity for SEV-SNP guests.

Common Vulnerabilities or Exposures (CVEID): CVE-2024-21947

Severity Rating: High

Description: Improper input validation in the system management mode (SMM) could allow a privileged attacker to overwrite arbitrary memory potentially resulting in arbitrary code execution at the SMM level.

Common Vulnerabilities or Exposures (CVEID): CVE-2024-21970

Severity Rating: Medium

Description: Improper validation of an array index in the AND power Management Firmware could allow a privileged attacker to corrupt AGESA memory potentially leading to a loss of integrity.

Common Vulnerabilities or Exposures (CVEID): CVE-2023-31330

Severity Rating: Low

Description: An out-of-bounds read in the ASP could allow a privileged attacker with access to a malicious bootloader to potentially read sensitive memory resulting in loss of confidentiality.

*The release schedule may be adjusted without further notification. Please check this page or contact technical support for any future updates.

*Please navigate to the "Support" section of the relevant product page to download the updated BIOS.

*For any further assistance regarding this issue please contact your Giga Computing sales representative.