UEFI-MM Driver Buffer Overflow
Bulletin ID: AMP-SB-0007
Problem Statement and Impact
An incorrectly formed SMC call to UEFI-MM Boot Error Record Table driver may result in either:
- An out-of-bounds read which leaks Secure-EL0 information to a process running in Non-Secure state
- An out-of-bounds write which corrupts Secure or Non-Secure memory, limited to memory mapped to UEFI-MM Secure Partition by the Secure Partition Manager. This could potentially result in a system hang or privilege escalation.
(CVE-2025-62862)
Note that the UEFI-MM Secure Partition reference code is isolated from Non-Secure to provide integrity, not confidentiality. There are no secrets or user workload data being processed in the UEFI-MM Secure Partition, so the actual confidentiality impact is negligible. Regardless of the practical impact, the out-of-bounds read leaking memory to a Non-Secure process is a violation of the intended architectural separation of Secure and Non-Secure worlds and is being fixed.
An incorrectly formed SMC call to UEFI-MM PCIe driver may result in an out-of-bounds write within PCIe driver’s S-EL0 address space. (CVE-2025-62863)
An incorrectly formed SMC call to UEFI-MM MMCommunicate service may result in an out-of-bounds write within the UEFI-MM Secure Partition context. (CVE-2025-62864)
CVE-2025-62862 and CVE-2025-62863 were discovered and reported by Kirk Swidowski (Google Cloud Vulnerability Research).
Severity
Medium
CVSS score: 4.6
CVE-2025-62862: [CVSS (version 3.1) 4.6/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L]
CVE-2025-62863: [CVSS (version 3.1) 4.6/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L]
CVE-2025-62864: [CVSS (version 3.1) 4.6/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L]
Fixed In
- AmpereOne® AC03 3.5.9.3 or newer
- AmpereOne® AC04 4.4.5.2 or newer
- AmpereOne® M 5.4.5.1 or newer
Recommendations
Ampere recommends that users of affected products update to the latest available SRPs.
Ampere Computing LLC
4655 Great America Parkway Suite 601
Santa Clara, CA 95054
