CVE-2024-56161
Publication date 3 February 2025
Last updated 2 February 2026
Ubuntu priority
Description
Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| amd64-microcode | ||
| 24.04 LTS noble |
Fixed 3.20250311.1ubuntu0.24.04.1
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
rodrigo-zaiden
This CVE is inside the bucket of two CVEs (CVE-2024-56161 and CVE-2024-36347) known as "EntrySign", the AMD Zen microcode signature validation vulnerability, affecting Zen 1/2/3/4/5 platforms. This CVE specifically tracks the AMD SEV-SNP firmware that exists in amd64-microcode package. The fix for this CVE doesn't fix EntrySign but updates the AMD SEV firmware based on AMD-SB-3019 mitigations, which is basically an update to support SEV-SNP attestation on updated firmware systems. The complete fix for EntrySign comprehends a BIOS upgrade (distributed through OEMs) that will properly fix microcode signature verification, and because of that it is not possible to distribute the fix through OS-level updates (such as amd64-microcode package). AMD SEV firmware were included in noble onwards, based on upstream release 20220411, releases older than that are not supported.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.2 · High
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | High |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-7560-1
- AMD Microcode vulnerability
- 9 June 2025
- USN-7561-1
- AMD Microcode vulnerabilities
- 9 June 2025
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-56161
- https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
- https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
- https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099830#26