Image Main

A security vulnerability has been identified in specific motherboard models from leading manufacturers such as ASRock, ASUSTeK Computer, GIGABYTE and MSI. This flaw leaves systems susceptible to Direct Memory Access (DMA) attacks during the early boot phase, affecting architectures that implement the Unified Extensible Firmware Interface (UEFI) and Input/Output Memory Management Unit (IOMMU).

Early Boot DMA Protection Failure

The vulnerability, discovered by Riot Games’ Nick Peterson and Mohamed Al-Sharifi, lies in the UEFI firmware implementation. Although the IOMMU and UEFI are designed to prevent unauthorized access to memory by peripherals, the flaw arises from a discrepancy: the firmware indicates that DMA protection is active, but fails to configure and enable the IOMMU correctly during the critical boot phase.

This gap allows a malicious PCIe (Peripheral Component Interconnect Express) device, with physical access to the system, to read or modify system memory before operating system-level safeguards are established. Attackers could thus access sensitive data in memory or alter the initial state of the system, compromising the integrity of the boot process.

The Risk of Preboot Code Injection

Successful exploitation of this vulnerability allows a physically present attacker to inject pre-boot code into systems with unpatched firmware. This is possible because the exploitation window occurs before the operating system kernel and its security functions are loaded.

Riot Games, in its analysis, described the bug as a “Sleeping Bouncer” issue. Although the “Pre-Boot DMA Protection” setting appears enabled in the BIOS, the hardware implementation does not fully initialize the IOMMU during the first few seconds of boot. This means that an attacker can inject code undetected before the system loads defenses.

Specific Vulnerabilities and Affected Models

The vulnerability manifests itself in multiple CVEs that affect different manufacturers and chipsets. All vulnerabilities have a CVSS score of 7.0 (High).

  • CVE-2025-14304 (ASRock): Affects ASRock, ASRock Rack and ASRock Industrial motherboards that use Intel 500, 600, 700 and 800 series chipsets.
  • CVE-2025-11901 (ASUS): Affects ASUS motherboards with Intel Z490, W480, B460, H410, Z590, B560, H510, Z690, B660, W680, Z790, B760 and W790 chipsets.
  • CVE-2025-14302 (GIGABYTE): Affects GIGABYTE motherboards with Intel Z890, W880, Q870, B860, H810, Z790, B760, Z690, Q670, B660, H610, W790, and AMD X870E, X870, B850, B840,
  • CVE-2025-14303 (MSI): Affects MSI motherboards using Intel 600 and 700 series chipsets.

Recommendations and Mitigation

With firmware updates becoming available from manufacturers, it is crucial that users and administrators apply them immediately. These updates fix the IOMMU initialization sequence to ensure that DMA protections are active throughout the boot process.

The CERT Coordination Center (CERT/CC) highlights the importance of patching and hardware security best practices in environments where physical access cannot be fully controlled. Although the vulnerability has been highlighted in the context of the video game sector, its risk extends to any attack that can abuse physical access to inject malicious code, including virtualized and cloud environments where the IOMMU plays a critical role in isolation.

References