Kirk Swidowski

**Name of the Vulnerable Software and Affected Versions** Ampere AmpereOne AC03 versions prior to 3.5.9.3 Ampere AmpereOne AC04 versions prior to 4.4.5.2 Ampere AmpereOne M versions prior to 5.4.5.1 **Description** The software contains a flaw related to an incorrectly formed SMC call to the UEFI-MM Boot Error Record Table driver. This issue could lead to an out-of-bounds read, potentially exposing Secure-EL0 information to processes in Non-Secure state. Alternatively, it could result in an out-of-bounds write, corrupting Secure or Non-Secure memory mapped to the UEFI-MM Secure Partition by the Secure Partition Manager. **Recommendations** Update Ampere AmpereOne AC03 devices to version 3.5.9.3 or later. Update Ampere AmpereOne AC04 devices to version 4.4.5.2 or later. Update Ampere AmpereOne M devices to version 5.4.5.1 or later.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.61 Description: The issue is related to the KVM: nSVM flow in the Linux kernel, where bits 4:0 of CR3 are not ignored when loading PDPTEs from memory for nested SVM. This can result in an out-of-bounds read in the worst-case scenario, for example, if the target page is at the end of a memslot and the VMM isn't using guard pages. According to the APM and SDM, the low 5 address bits 4:0 of the CR3 register are assumed to be 0 and ignored. Recommendations: For Linux kernel versions prior to 6.6.61, update to version 6.6.61 or later to resolve the issue. As a temporary workaround, consider restricting the use of the nSVM flow in KVM to minimize the risk of exploitation.