CVE-2025-29943

MEDIUM

AMD EPYC 9004/9005/8004, Embedded 7003/9005 - Write-What-Where via CPU Pipeline Config

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-29943. PoCs published by fevar54.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2025-29943, a write-what-where condition in AMD processors (Zen 1-5) that allows a malicious hypervisor to manipulate CPU pipeline configuration and corrupt stack pointers in SEV-SNP VMs, leading to privilege escalation and arbitrary code execution.

Description

Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an SEV-SNP guest.

Exploits (1)

nomisec WORKING POC

by fevar54 · poc

https://github.com/fevar54/POC_CVE-2025-29943_Write-what-where-Condition

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2025-29943, a write-what-where condition in AMD processors (Zen 1-5) that allows a malicious hypervisor to manipulate CPU pipeline configuration and corrupt stack pointers in SEV-SNP VMs, leading to privilege escalation and arbitrary code execution.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Theoretical

Target: AMD EPYC processors (Series 7003, 8004, 9004, 9005, and Embedded variants)

Auth required

Prerequisites: Root access on the host system · AMD Zen 1-5 processor · SEV-SNP enabled VM

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1499.004 - Application or System Exploitation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3027.html

Scores

CVSS v4 4.6

EPSS 0.0020

EPSS Percentile 10.1%

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-123

Status published

Products (5)

AMD/AMD EPYC™ 8004 Series Processors Genoa++_1.0.0.H

AMD/AMD EPYC™ 9004 Series Processors Genoa++_1.0.0.H

AMD/AMD EPYC™ 9005 Series Processors TurinPI_1.0.0.6

AMD/AMD EPYC™ Embedded 7003 Series Processors EmbMilanPI-SP3 v9 1.0.0.C

AMD/AMD EPYC™ Embedded 9005 Series Processors EmbTurinPI-SP5_1.0.0.1

Published Jan 16, 2026

Tracked Since Feb 18, 2026