Insufficient Access Control in SEV Firmware Enables ASID Leakage
CVE-2025-48517 Published on February 10, 2026

Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an ASID in the range meant for SEV-SNP guests potentially resulting in a partial loss of confidentiality.

NVD

Weakness Type

Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

Affected Versions

AMD EPYC™ 9005 Series Processors:

Version TurinPI 1.0.0.6 is unaffected.

AMD EPYC™ Embedded 9005 Series Processors:

Version EmbTurinPI-SP5_1.0.0.1 is unaffected.

Exploit Probability

EPSS

0.02%

Percentile

4.20%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Insufficient Access Control in SEV Firmware Enables ASID LeakageCVE-2025-48517 Published on February 10, 2026

Weakness Type

Insufficient Granularity of Access Control

Affected Versions

Exploit Probability

Insufficient Access Control in SEV Firmware Enables ASID Leakage
CVE-2025-48517 Published on February 10, 2026