Last week, the Trusted Computing Group (TCG), which is the developer of the Trusted Platform Module (TPM) security standard, alerted the press and AMD about a new TPM vulnerability on Ryzen processors.
Tracked under ID "CVE-2025-2884" (AMD is tracking it as "AMD-SB-4011"), the vulnerability allows an attacker to exploit the vulnerability by sending malicious commands to read data stored in the TPM via an information disclosure flaw or potentially impact TPM availability on systems through a denial of service attack. This is a type of out-of-bound read security flaw.
The TCG notes that the flaw occurs in the CryptHmacSign function due to improper validation of a message digest or hash via the hash-based message authentication code (HMAC) signature scheme, leading to an out-of-bounds situation. TCG explains in its VRT0009 advisory:
The reference code did not implement appropriate consistency check in CryptHmacSign() resulting in potential out-of-bound read. The out-of-bound read occurs on the buffer passed to the ExecuteCommand() entry point. CVE-2025-2884 may allow an attacker to read up to 65535 bytes past the end of that buffer.
The Common Vulnerability Scoring System (CVSS) score of the flaw is 6.6 indicating a medium level of severity. This is typically the case for most local-level attacks as in order to exploit such a flaw, the threat actor must have physical access to a device. Regardless, AMD has issued firmware to patch the vulnerability on Ryzen 7000, 8000 (Zen 4) and Ryzen 9000 (Zen 5) parts.
AMD has confirmed that AGESA (AMD Generic Encapsulated Software Architecture) firmware Combo PI (Platform Initialization) 1.2.0.3e mitigates the flaw. The company notes that the said firmware fixes "ASP fTPM + Pluton TPM" issue. If you are wondering, ASP refers to AMD Secure Processor which is "a dedicated hardware component embedded in every system-on-a-chip."
AMD"s motherboard vendor partners like Asus and MSI have already begun rolling out the firmware update. MSI has a blog post about the 1.2.0.3e Combo PI as it mentions several new upcoming features including support for new CPUs, better memory compatibility, and more. MSI writes:
This update not only adds support for upcoming new CPU, but also enables all AM5 motherboards to support large-capacity 64GBx4 DRAM chips. .... Even with four 64GB DRAM fully installed, the system can still achieve a stable overclocking speed of 6000MT/s, and even up to 6400MT/s.
In addition, this update optimizes 2DPC 1R capability and includes overclocking enhancements specifically for Samsung"s 4Gx8 chips.
Interestingly, Asus notes that this firmware update is irreversible as it is a major release. Thus one would hope that it is a very stable release and given that this is the "e" stepping of the firmware, there are pretty good chances of that.
Other vendors like Gigabyte and ASRock are yet to release their updates.