CVE-2025-0034 is a medium-severity vulnerability classified as CWE-787 (Out-of-bounds Write) affecting the AMD Instinct™ MI300X accelerator, specifically within the Trusted Execution Environment (TEE) System on Chip (SOC) driver. The vulnerability arises due to insufficient parameter sanitization when processing the DRV_SOC_CMD_ID_SRIOV_SPATIAL_PART command. An attacker with high privileges and local access can issue a malformed command that causes the driver to read or write beyond the bounds of allocated arrays. This out-of-bounds write can corrupt memory, potentially leading to loss of platform integrity or denial of service (DoS). The vulnerability requires high attack complexity and privileges, with no user interaction needed. The CVSS v3.1 base score is 4.7, reflecting limited confidentiality impact but significant integrity and availability concerns. No known exploits are currently reported in the wild, and no patches have been linked yet. The affected product, AMD Instinct MI300X, is a high-performance GPU accelerator used primarily in data centers and HPC environments, often integrated into servers that handle sensitive workloads. The vulnerability could be exploited by malicious insiders or compromised administrators to disrupt operations or degrade system reliability by corrupting memory structures within the TEE SOC driver. Given the nature of the hardware and the requirement for local privileged access, exploitation is unlikely from remote attackers but remains a concern in multi-tenant or shared environments where privileged users or compromised processes exist.

For European organizations, particularly those operating data centers, HPC clusters, or cloud services utilizing AMD Instinct MI300X accelerators, this vulnerability poses a risk to system stability and integrity. Potential impacts include denial of service conditions that could interrupt critical computational workloads or degrade service availability. Although confidentiality impact is minimal, the integrity loss could affect the correctness of computations or data processed on these accelerators, which is critical in sectors such as scientific research, financial modeling, and industrial simulations. Organizations relying on multi-tenant environments or shared infrastructure may face increased risk if an attacker gains privileged local access. Disruptions could lead to operational downtime, financial losses, and reputational damage. Additionally, the lack of patches at present necessitates heightened vigilance and interim mitigations to reduce exposure.

1. Restrict and tightly control local privileged access to systems running AMD Instinct MI300X accelerators to trusted administrators only, employing strong authentication and access auditing. 2. Monitor system logs and driver behavior for anomalous or malformed DRV_SOC_CMD_ID_SRIOV_SPATIAL_PART commands that could indicate exploitation attempts. 3. Employ hardware and software-based isolation techniques to limit the impact of potential memory corruption, such as containerization or virtualization with strict privilege separation. 4. Coordinate with AMD for timely patch deployment once available; maintain close monitoring of vendor advisories. 5. Implement rigorous change management and configuration control to prevent unauthorized driver modifications or command injections. 6. Conduct regular security assessments and penetration testing focused on privileged local access vectors to identify and remediate weaknesses. 7. Consider disabling or limiting SR-IOV spatial partitioning features if not required, reducing the attack surface related to this command.