• A researcher has discovered a bug that affects every Zen 2 processor.
• The bug allows an attacker to siphon 30kb of data per second according to the person who discovered the bug.
• AMD is currently working to release firmware updates for all affected processors.

For ardent supports of AMD, there is some bad news that you may want to sit up and take note of.

A new vulnerability has been discovered by Google Information Security researcher Tavis Ormandy that affects all of AMD’s Zen 2 processors which includes at a minimum:

• AMD Ryzen 3000 Series Processors
• AMD Ryzen PRO 3000 Series Processors
• AMD Ryzen Threadripper 3000 Series Processors
• AMD Ryzen 4000 Series Processors with Radeon Graphics
• AMD Ryzen PRO 4000 Series Processors
• AMD Ryzen 5000 Series Processors with Radeon Graphics
• AMD Ryzen 7020 Series Processors with Radeon Graphics
• AMD EPYC “Rome” Processors

The vulnerability that has been dubbed Zenbleed relies on a series of events being triggered that affect the XMM Register Merge Optimization. From there a register rename must happen as well as a misprediction. The full write up can be found in the link above but the core of the bug can lead to 30kb of data being leaked per second. This, says Ormandy, is enough data to steal a password as it’s typed in.

AMD has acknowledged the vulnerability and is working to address it through software patches.

“Under specific microarchitectural circumstances, a register in ‘Zen 2’ CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information,” writes AMD.

Team Red has also outlined mitigation measures Ryzen chip owners can take while it works on updates.

To that end, if you happen to own a PC or notebook running AMD tech, keep an eye out for an AGESA firmware update from your manufacturer. Updates are scheduled to arrive by December 2023 at the latest.