CVE-2025-29946 is a hardware-level vulnerability identified in the AMD EPYC™ 9005 Series processors, specifically within the Secure Encrypted Virtualization (SEV) firmware component. The issue stems from insufficient or incomplete data removal due to the SEV firmware not fully flushing the Input-Output Memory Management Unit (IOMMU). The IOMMU is critical in managing memory access and isolation between virtual machines (VMs) and hardware devices. Failure to properly flush the IOMMU can lead to residual data remaining accessible in guest memory, undermining the confidentiality and integrity guarantees expected in virtualized environments. This vulnerability is categorized under CWE-1301, which relates to improper clearing or sanitization of data. The CVSS 4.0 score of 4.5 reflects a medium severity, considering the attack vector is local (AV:L), requires high attack complexity (AC:H), and privileges (PR:H), but does not require user interaction (UI:N). The scope and impact are high (SI:H), indicating that the vulnerability affects the security properties of the system beyond the vulnerable component. No public patches or exploits are currently known, but the risk is significant in environments where AMD EPYC 9005 processors are used to host sensitive virtualized workloads, such as cloud service providers and enterprise data centers.

For European organizations, the vulnerability poses a risk primarily to cloud service providers, data centers, and enterprises utilizing AMD EPYC 9005 Series processors for virtualization. The incomplete flushing of the IOMMU can allow attackers with high privileges to access or manipulate guest memory contents, potentially leading to data leakage or unauthorized data modification. This compromises the confidentiality and integrity of sensitive information processed in virtual machines, which is critical for sectors such as finance, healthcare, government, and critical infrastructure. The impact is heightened in multi-tenant cloud environments where isolation between tenants is paramount. Although exploitation requires high privileges and local access, insider threats or compromised administrative accounts could leverage this vulnerability to escalate access or exfiltrate data. The absence of known exploits reduces immediate risk, but the hardware-level nature of the flaw means remediation may be complex and slow, prolonging exposure.

European organizations should implement strict access controls to limit administrative and privileged access to systems running AMD EPYC 9005 processors. Employ robust monitoring and auditing of privileged operations to detect suspicious activities. Isolate sensitive workloads and consider additional software-based memory isolation techniques to reduce reliance on hardware-level protections until patches are available. Engage with AMD and hardware vendors to obtain timely firmware updates or mitigations once released. Conduct thorough risk assessments for virtualized environments and consider temporary migration of critical workloads to unaffected hardware if feasible. Maintain up-to-date inventory of affected hardware and ensure that incident response teams are aware of the vulnerability specifics. Additionally, reinforce endpoint security and network segmentation to reduce the attack surface for local privilege escalation attempts.