- A bug in UEFI makes ASUS, Gigabyte, MSI and ASRock motherboards vulnerable to DMA attacks.
- The firmware incorrectly reports that IOMMU protection is enabled and allows pre-access to malicious PCIe devices.
- Riot Games has discovered an issue. Users should apply vendor-specific firmware updates to mitigate the risk.
Researchers warn that vulnerabilities in UEFI firmware implementations have left many popular motherboards vulnerable to direct memory access (DMA) attacks, which can lead to persistent access, disclosure of encryption keys and credentials, and many other problems.
Most modern computers use UEFI firmware, low-level software built into the motherboard that formats the hardware and securely boots the operating system. Among other things, the firmware is responsible for the correct initialization and activation of the IOMMU isolation layer.
This layer of hardware lies between the system’s RAM and devices that can directly read and write the RAM without using the CPU (direct memory access (DMA) devices). This includes PCIe cards, Thunderbolt devices, GPUs, and more. Once configured correctly, the malicious device will not be able to read or write the RAM.
false positive
The vulnerability occurs because the UEFI firmware on affected motherboards reports that DMA protection is enabled even if the IOMMU is not configured correctly. This means that the system assumes that Memory Firewall is running, even though it has not applied any rules yet.
Since each vendor implements this feature differently, vulnerabilities are tracked using different identifiers. Therefore, this bug is tracked as CVE-2025-11901, CVE-2025-14302, CVE-2025-14303 and CVE-2025-14304 and affects certain ASUS, Gigabyte, MSI and ASRock motherboards.
It was first discovered by researchers at Riot Games, the company behind some of the world’s most popular multiplayer games, including League of Legends and Valorant. Riot has a tool called Vanguard that works at the kernel level to prevent cheating. On vulnerable systems, Vanguard prevents Valorant from launching.
This vulnerability may sound scary, but it comes with a big warning. DMA attacks require a PCIe device to be connected before the operating system can boot. However, we recommend contacting your motherboard manufacturer for a firmware update.
For computer spying
