// #firmware
7 articles
AMD Zen 2 Firmware Update Strategy: Managing CPU Microcode Patches Across Enterprise Hardware
CVE-2026-46174 requires a PI firmware (BIOS/UEFI) update to deliver the AMD Zen 2 microcode fix — not a software patch. For enterprises running AMD EPYC Rome servers or Zen 2-based workstations, this means a separate patch track from OS-level vulnerability management. An asset-based approach to CPU generation inventory is the prerequisite.
AMD Zen 2 CVE-2026-46174: Operation Cache Microarchitecture Flaw Enables Kernel Privilege Escalation
AMD published Security Bulletin AMD-SB-7052 on 28 May for CVE-2026-46174, a microarchitectural flaw in Zen 2 processor operation caches. A local attacker can exploit timing characteristics of the op-cache to execute code with kernel privileges from a userspace context. PI firmware updates are required; the Xen Project also issued XSA-490 for virtualisation platform impacts.
Hardware Vulnerability Assessment: Methodology for CPU Microarchitecture and Firmware Security Evaluation
AMD CVE-2026-46174 and the broader class of CPU microarchitecture vulnerabilities require assessment methodology distinct from software vulnerability scanning. This guide covers the scoping, testing, and remediation verification steps for enterprise hardware security assessments covering processor vulnerabilities.
AMD Discloses Elevation of Privilege Vulnerability in Zen 2 Micro-Op Cache — Microcode and Firmware Updates Required
AMD has disclosed an elevation-of-privilege vulnerability in the micro-op cache of Zen 2 processors, where a low-privileged process can exploit speculative execution behaviour to access privileged memory content. Full remediation requires microcode updates delivered via OEM BIOS firmware. Zen 3 and later generations are not affected. Dell PowerEdge EPYC Rome servers and AMD EPYC Rome cloud instances require priority attention.
Secure Boot Certificates Expire June 2026 — Enterprise Action Window Is Now
Microsoft's 2011 Secure Boot signing certificates expire on 26 June 2026, with the Windows bootloader certificate following in October. Organisations that fail to apply firmware and OS updates before these deadlines lose the ability to receive boot-level security fixes and risk UEFI bootkit exposure. Microsoft has begun displaying warnings in Windows Security app in April 2026, but the update process requires OEM firmware coordination that takes weeks.
Dell iDRAC Service Module CVE-2026-23856 Allows Local Privilege Escalation on PowerEdge Servers
Dell has patched CVE-2026-23856, a privilege escalation vulnerability in the iDRAC Service Module (iSM) shipped with PowerEdge servers. A local attacker with standard user privileges can exploit improper access controls in the iSM — which runs with elevated system privileges to communicate with the hardware management interface — to elevate to SYSTEM or root. Updated iSM packages are available for both Windows and Linux.
Qualcomm Android Flaw CVE-2026-21385 Exploited in Targeted Attacks — Patch in March Android Security Update
A memory corruption vulnerability in Qualcomm mobile chipset firmware has been confirmed as exploited in limited, targeted attacks. The flaw is addressed in the March 2026 Android Security Bulletin, which patches 129 vulnerabilities across the Android ecosystem. CISA added CVE-2026-21385 to the Known Exploited Vulnerabilities catalogue on 3 March with a 24 March federal deadline.