CVE-2021-26365

Certain size values in firmware binary headers could trigger out of bounds reads during signature validation, leading to denial of service or potentially limited leakage of information about out-of-bounds memory contents.

Published: 2023-05-09 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2021-26365 is rated Moderate Risk (47.7/100): CVSS High severity, with low exploitation likelihood (EPSS 0.57%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2021-26365

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.51% 0.57% +0.06%
2 2026-05-28 0.41% 0.51% +0.10%
3 2026-05-24 0.41%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-26365

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.2 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 4.2 [email protected]
8.2 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 4.2 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2021-26365

Affected software / configurations for CVE-2021-26365

Vendor Product Version Raw CPE
amd ryzen_5_2400g_firmware cpe:2.3:o:amd:ryzen_5_2400g_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_2400ge_firmware cpe:2.3:o:amd:ryzen_5_2400ge_firmware:-:*:*:*:*:*:*:*
amd ryzen_3_2200ge_firmware cpe:2.3:o:amd:ryzen_3_2200ge_firmware:-:*:*:*:*:*:*:*
amd ryzen_3_2200g_firmware cpe:2.3:o:amd:ryzen_3_2200g_firmware:-:*:*:*:*:*:*:*
amd ryzen_3_pro_2100ge_firmware cpe:2.3:o:amd:ryzen_3_pro_2100ge_firmware:-:*:*:*:*:*:*:*
amd ryzen_9_5900x_firmware cpe:2.3:o:amd:ryzen_9_5900x_firmware:-:*:*:*:*:*:*:*
amd ryzen_9_5950x_firmware cpe:2.3:o:amd:ryzen_9_5950x_firmware:-:*:*:*:*:*:*:*
amd ryzen_9_5900_firmware cpe:2.3:o:amd:ryzen_9_5900_firmware:-:*:*:*:*:*:*:*
amd ryzen_7_5800_firmware cpe:2.3:o:amd:ryzen_7_5800_firmware:-:*:*:*:*:*:*:*
amd ryzen_7_5800x_firmware cpe:2.3:o:amd:ryzen_7_5800x_firmware:-:*:*:*:*:*:*:*
amd ryzen_7_5800x3d_firmware cpe:2.3:o:amd:ryzen_7_5800x3d_firmware:-:*:*:*:*:*:*:*
amd ryzen_7_5700x_firmware cpe:2.3:o:amd:ryzen_7_5700x_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_5600_firmware cpe:2.3:o:amd:ryzen_5_5600_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_5600x_firmware cpe:2.3:o:amd:ryzen_5_5600x_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_5500_firmware cpe:2.3:o:amd:ryzen_5_5500_firmware:-:*:*:*:*:*:*:*
amd ryzen_3_3200u_firmware < picassopi-fp5_1.0.0.d cpe:2.3:o:amd:ryzen_3_3200u_firmware:*:*:*:*:*:*:*:*
amd ryzen_3_3250c_firmware < picassopi-fp5_1.0.0.d cpe:2.3:o:amd:ryzen_3_3250c_firmware:*:*:*:*:*:*:*:*
amd ryzen_3_3250u_firmware < picassopi-fp5_1.0.0.d cpe:2.3:o:amd:ryzen_3_3250u_firmware:*:*:*:*:*:*:*:*
amd amd_3015e_firmware < pollockpi-ft5_1.0.0.3 cpe:2.3:o:amd:amd_3015e_firmware:*:*:*:*:*:*:*:*
amd amd_3015ce_firmware < pollockpi-ft5_1.0.0.3 cpe:2.3:o:amd:amd_3015ce_firmware:*:*:*:*:*:*:*:*
amd ryzen_7_2800h_firmware cpe:2.3:o:amd:ryzen_7_2800h_firmware:-:*:*:*:*:*:*:*
amd ryzen_7_2700u_firmware cpe:2.3:o:amd:ryzen_7_2700u_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_2600h_firmware cpe:2.3:o:amd:ryzen_5_2600h_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_2500u_firmware cpe:2.3:o:amd:ryzen_5_2500u_firmware:-:*:*:*:*:*:*:*
amd ryzen_3_2300u_firmware cpe:2.3:o:amd:ryzen_3_2300u_firmware:-:*:*:*:*:*:*:*
amd ryzen_3_2200u_firmware cpe:2.3:o:amd:ryzen_3_2200u_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_3400g_firmware cpe:2.3:o:amd:ryzen_5_3400g_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_pro_3400g_firmware cpe:2.3:o:amd:ryzen_5_pro_3400g_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_pro_3400ge_firmware cpe:2.3:o:amd:ryzen_5_pro_3400ge_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_pro_3350g_firmware cpe:2.3:o:amd:ryzen_5_pro_3350g_firmware:-:*:*:*:*:*:*:*
amd ryzen_5_pro_3350ge_firmware cpe:2.3:o:amd:ryzen_5_pro_3350ge_firmware:-:*:*:*:*:*:*:*
amd ryzen_3_pro_3200g_firmware cpe:2.3:o:amd:ryzen_3_pro_3200g_firmware:-:*:*:*:*:*:*:*
amd ryzen_3_3200g_firmware cpe:2.3:o:amd:ryzen_3_3200g_firmware:-:*:*:*:*:*:*:*
amd ryzen_3_3200ge_firmware cpe:2.3:o:amd:ryzen_3_3200ge_firmware:-:*:*:*:*:*:*:*
amd ryzen_3_pro_3200ge_firmware cpe:2.3:o:amd:ryzen_3_pro_3200ge_firmware:-:*:*:*:*:*:*:*
amd ryzen_7_5700u_firmware < cezannepi-fp6_1.0.0.8 cpe:2.3:o:amd:ryzen_7_5700u_firmware:*:*:*:*:*:*:*:*
amd ryzen_5_5500u_firmware < cezannepi-fp6_1.0.0.8 cpe:2.3:o:amd:ryzen_5_5500u_firmware:*:*:*:*:*:*:*:*
amd ryzen_3_5300u_firmware < cezannepi-fp6_1.0.0.8 cpe:2.3:o:amd:ryzen_3_5300u_firmware:*:*:*:*:*:*:*:*
amd ryzen_7_5700g_firmware < cezannepi-fp6_1.0.0.8 cpe:2.3:o:amd:ryzen_7_5700g_firmware:*:*:*:*:*:*:*:*
amd ryzen_7_5700ge_firmware < cezannepi-fp6_1.0.0.8 cpe:2.3:o:amd:ryzen_7_5700ge_firmware:*:*:*:*:*:*:*:*
amd ryzen_5_5600g_firmware < cezannepi-fp6_1.0.0.8 cpe:2.3:o:amd:ryzen_5_5600g_firmware:*:*:*:*:*:*:*:*
amd ryzen_5_5600ge_firmware < cezannepi-fp6_1.0.0.8 cpe:2.3:o:amd:ryzen_5_5600ge_firmware:*:*:*:*:*:*:*:*
amd ryzen_3_5300g_firmware < cezannepi-fp6_1.0.0.8 cpe:2.3:o:amd:ryzen_3_5300g_firmware:*:*:*:*:*:*:*:*
amd ryzen_3_5300ge_firmware < cezannepi-fp6_1.0.0.8 cpe:2.3:o:amd:ryzen_3_5300ge_firmware:*:*:*:*:*:*:*:*
amd ryzen_9_6980hx_firmware < rmb_1.0.0.4 cpe:2.3:o:amd:ryzen_9_6980hx_firmware:*:*:*:*:*:*:*:*
amd ryzen_9_6980hs_firmware < rmb_1.0.0.4 cpe:2.3:o:amd:ryzen_9_6980hs_firmware:*:*:*:*:*:*:*:*
amd ryzen_9_6900hx_firmware < rmb_1.0.0.4 cpe:2.3:o:amd:ryzen_9_6900hx_firmware:*:*:*:*:*:*:*:*
amd ryzen_9_6900hs_firmware < rmb_1.0.0.4 cpe:2.3:o:amd:ryzen_9_6900hs_firmware:*:*:*:*:*:*:*:*
amd ryzen_7_6800h_firmware < rmb_1.0.0.4 cpe:2.3:o:amd:ryzen_7_6800h_firmware:*:*:*:*:*:*:*:*
amd ryzen_7_6800hs_firmware < rmb_1.0.0.4 cpe:2.3:o:amd:ryzen_7_6800hs_firmware:*:*:*:*:*:*:*:*
amd ryzen_7_6800u_firmware < rmb_1.0.0.4 cpe:2.3:o:amd:ryzen_7_6800u_firmware:*:*:*:*:*:*:*:*
amd ryzen_5_6600h_firmware < rmb_1.0.0.4 cpe:2.3:o:amd:ryzen_5_6600h_firmware:*:*:*:*:*:*:*:*
amd ryzen_5_6600hs_firmware < rmb_1.0.0.4 cpe:2.3:o:amd:ryzen_5_6600hs_firmware:*:*:*:*:*:*:*:*
amd ryzen_5_6600u_firmware < rmb_1.0.0.4 cpe:2.3:o:amd:ryzen_5_6600u_firmware:*:*:*:*:*:*:*:*

References for CVE-2021-26365

cvelogic Threat Intelligence