The Binarly REsearch team disclosed three high-severity vulnerabilities to AMD in December 2022, with confirmed industry-wide downstream impact. It’s normal for vulnerabilities in reference code to live in the supply chain for long periods of time, even after the fixes are released. In these cases, the silicon vendor did not assign the CVEs to the internal discoveries and released silent fixes to some vendors. Binarly’s researchers discovered these CVE-2023-20558/BRLY-2022-044 and CVE-2023-20559/BRLY-2022-042 independently and disclosed them to AMD’s security response team. A fourth vulnerability, BRLY-2022-045 (8.5 High), is still unfixed due to the complexity of the issue and its impact. AMD expects to release a patch later this year.