The vulnerability, known as "Zenbleed," impacts all Zen 2-based Ryzen, Threadripper, and EPYC CPUs.
Tavis Ormandy, a member of Google's Project Zero security team, revealed that this bug allows attackers to access sensitive data at a rate of up to 30 kilobytes per core per second. Encryption keys, root and user passwords, and other crucial information stored in systems using AMD's Zen 2 architecture could be compromised.
The flaw exploits a misprediction recovery issue in Zen 2 processors during speculative execution, which results in data being leaked from CPU registers. One alarming aspect of this bug is that attackers don't need physical hardware access to exploit it; merely loading malicious JavaScript on a website could trigger the attack. While no known exploits in the wild have been reported yet, there is a risk of potential exploitation following the public disclosure.
AMD acknowledges the vulnerability but claims no known exploits have occurred outside research environments. Cloudflare also affirms no evidence of exploitation on its servers.
Addressing the issue requires firmware updates from AMD, which will fully fix the problem. Alternatively, a software update is possible, though it may come with some performance impact. The bug affects various Ryzen desktop and laptop processors, EPYC 7002-series server chips, and Threadripper 3000-series and 3000 Pro WX-series CPUs.
To safeguard systems, AMD has already issued a firmware update for EPYC 7002 chips, as they are more lucrative targets for hackers. AMD warns that the performance impact of the update will depend on the workload and system configuration.
| CPU | RELEASED | PLANNED FIX | AGESA VERSION WITH FIXES |
|---|---|---|---|
| Ryzen 3000 (desktop) | Mid-2019 | December 2023 | ComboAM4v2PI_1.2.0.C |
| Ryzen 4000G (desktop) | Mid-2020 | December 2023 | ComboAM4v2PI_1.2.0.C |
| Ryzen 4000 (laptop) | Early-mid 2020 | November 2023 | RenoirPI-FP6_1.0.0.D |
| Ryzen 5700U/5500U/5300U (laptop) | Early 2021 | December 2023 | CezannePI-FP6_1.0.1.0 |
| Ryzen 7020 (laptop) | Late 2022 | December 2023 | MendocinoPI-FT6_1.0.0.6 |
| Ryzen Threadripper 3000 | Late 2019 | October 2023 | CastlePeakPI-SP3r3 1.0.0.A |
| Ryzen Threadripper Pro 3000WX | Mid-2020 | November/December 2023 | CastlePeakWSPI-sWRX8 1.0.0.C/ChagallWSPI-sWRX8 1.0.0.7 |
| EPYC 7002 | Mid-2019 | Patch available | RomePI 1.0.0.H |
The timeline for patches varies based on the processor and system configuration. Ryzen desktop processors, including Ryzen 3000 and Ryzen 4000G-series chips, are expected to receive a firmware fix by December, distributed through motherboard or PC manufacturers.
Laptops with Ryzen 4000-series CPUs will get an update in November, while Ryzen 5000-series laptops and Ryzen 7020-series budget CPUs using Zen 2 will receive an update in December. For Threadripper systems, a patch is expected in October, and fixes for Threadripper Pro 3000WX-series systems will arrive in November and December.
