Common Weakness Enumeration

CWE-1301

Allowed

Insufficient or Incomplete Data Removal within Hardware Component

Abstraction: Base · Status: Incomplete

The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.

4 vulnerabilities reference this CWE, most recent first.

CVE-2025-29946 (GCVE-0-2025-29946)

Vulnerability from cvelistv5 – Published: 2026-02-10 19:15 – Updated: 2026-02-10 21:42
VLAI
Summary
Insufficient or Incomplete Data Removal in Hardware Component in SEV firmware doesn't fully flush IOMMU. This can potentially lead to a loss of confidentiality and integrity in guest memory.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1301 - Insufficient or Incomplete Data Removal within Hardware Component
Assigner
AMD
Impacted products
Date Public
2026-02-10 19:06
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-29946",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-10T21:42:05.305770Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-10T21:42:14.335Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 9005 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "TurinPI 1.0.0.6"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "AMD EPYC\u2122 Embedded 9005 Series Processors",
          "vendor": "AMD",
          "versions": [
            {
              "status": "unaffected",
              "version": "EmbTurinPI-SP5_1.0.0.1"
            }
          ]
        }
      ],
      "datePublic": "2026-02-10T19:06:26.694Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient or Incomplete Data Removal in Hardware Component in SEV firmware doesn\u0027t fully flush IOMMU. This can potentially lead to a loss of confidentiality and integrity in guest memory.\u003cbr\u003e"
            }
          ],
          "value": "Insufficient or Incomplete Data Removal in Hardware Component in SEV firmware doesn\u0027t fully flush IOMMU. This can potentially lead to a loss of confidentiality and integrity in guest memory."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1301",
              "description": "CWE-1301  Insufficient or Incomplete Data Removal within Hardware Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-10T19:15:57.179Z",
        "orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
        "shortName": "AMD"
      },
      "references": [
        {
          "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3023.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "AMD PSIRT Automation 1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
    "assignerShortName": "AMD",
    "cveId": "CVE-2025-29946",
    "datePublished": "2026-02-10T19:15:57.179Z",
    "dateReserved": "2025-03-12T15:15:04.910Z",
    "dateUpdated": "2026-02-10T21:42:14.335Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12216 (GCVE-0-2025-12216)

Vulnerability from cvelistv5 – Published: 2025-10-25 15:33 – Updated: 2025-10-28 14:07
VLAI
Title
Malicious / Malformed App can be Installed but not Uninstalled
Summary
Malicious / Malformed App can be Installed but not Uninstalled/may lead to unavailability.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1301 - Insufficient or Incomplete Data Removal within Hardware Component
Assigner
References
Impacted products
Credits
Kevin Schaller Benjamin Lafois Alexi Bitsios Sebastian Toscano Dominik Schneider
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12216",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-28T14:07:02.935724Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-28T14:07:11.115Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BLU-IC2",
          "vendor": "Azure Access Technology",
          "versions": [
            {
              "lessThanOrEqual": "1.19.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "BLU-IC4",
          "vendor": "Azure Access Technology",
          "versions": [
            {
              "lessThanOrEqual": "1.19.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kevin Schaller"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Benjamin Lafois"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Alexi Bitsios"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Sebastian Toscano"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Dominik Schneider"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Malicious / Malformed App can be Installed but not Uninstalled/may lead to unavailability.\u003cp\u003eThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.\u003c/p\u003e"
            }
          ],
          "value": "Malicious / Malformed App can be Installed but not Uninstalled/may lead to unavailability.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1301",
              "description": "CWE-1301: Insufficient or Incomplete Data Removal within Hardware Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-25T15:33:18.476Z",
        "orgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220",
        "shortName": "azure-access"
      },
      "references": [
        {
          "url": "https://azure-access.com/security-advisories"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Malicious / Malformed App can be Installed but not Uninstalled",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220",
    "assignerShortName": "azure-access",
    "cveId": "CVE-2025-12216",
    "datePublished": "2025-10-25T15:33:18.476Z",
    "dateReserved": "2025-10-25T15:28:28.881Z",
    "dateUpdated": "2025-10-28T14:07:11.115Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-6V8W-33WG-8GW2

Vulnerability from github – Published: 2025-10-25 18:30 – Updated: 2025-11-10 15:31
VLAI
Details

Malicious / Malformed App can be Installed but not Uninstalled/may lead to unavailability.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1301"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-25T16:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "Malicious / Malformed App can be Installed but not Uninstalled/may lead to unavailability.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.",
  "id": "GHSA-6v8w-33wg-8gw2",
  "modified": "2025-11-10T15:31:02Z",
  "published": "2025-10-25T18:30:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12216"
    },
    {
      "type": "WEB",
      "url": "https://azure-access.com/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GW24-F5J7-24M9

Vulnerability from github – Published: 2026-02-10 21:31 – Updated: 2026-02-10 21:31
VLAI
Details

Insufficient or Incomplete Data Removal in Hardware Component in SEV firmware doesn't fully flush IOMMU. This can potentially lead to a loss of confidentiality and integrity in guest memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1301"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T20:16:44Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient or Incomplete Data Removal in Hardware Component in SEV firmware doesn\u0027t fully flush IOMMU. This can potentially lead to a loss of confidentiality and integrity in guest memory.",
  "id": "GHSA-gw24-f5j7-24m9",
  "modified": "2026-02-10T21:31:30Z",
  "published": "2026-02-10T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29946"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3023.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Apply blinding or masking techniques to implementations of cryptographic algorithms.

Mitigation
Implementation

Alter the method of erasure, add protection of media, or destroy the media to protect the data.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.