Insuff Gran Access Control in AMD SEV Firmware Enables Privileged Guest Creation
CVE-2025-48514 Published on February 10, 2026
Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.
Weakness Type
Insufficient Granularity of Access Control
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
Affected Versions
AMD EPYC™ 9004 Series Processors:- Version Genoa++_1.0.0.H is unaffected.
- Version MilanPI 1.0.0.H is unaffected.
- Version TurinPI 1.0.0.6 is unaffected.
- Version Genoa++_1.0.0.H is unaffected.
- Version EmbMilanPI-SP3 v9 1.0.0.C is unaffected.
- Version EmbGenoaPI-SP5 1.0.0.C is unaffected.
- Version EmbTurinPI-SP5_1.0.0.1 is unaffected.
- Version EmbGenoaPI-SP5 1.0.0.C is unaffected.
- Version EmbGenoaPI-SP5 1.0.0.C is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.