A new vulnerability has been discovered in AMD’s Zen 2 processors—one that allows data like passwords and encryption keys to be stolen from the CPU. Disclosed publicly this week by Google security researcher Tavis Ormandy, this bug affects consumer chips as well as server, including Ryzen 3000 series parts.
- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC “Rome” Processors
At this time, AMD has only released a microcode update for 2nd-generation EPYC server CPUs, along with a security advisory explaining the vulnerability (which was filed as CVE-2023-20593) and its release schedule for mitigations.
For consumers, a fix will be funneled through original equipment manufacturers (e.g., Dell or HP for pre-built PCs and laptops, and motherboard manufacturers for DIY PC builds), with arrival dates set for later this year. Threadripper 3000 parts are first up for the new AGESA firmware in October, followed by Ryzen 4000 mobile processors in November. For Ryzen 3000 and 4000 desktop CPUs, as well as Ryzen 5000 and 7020 mobile processors, the target is December 2023.
If you don’t want to wait for AMD, Ormandy explains how to make a software tweak as a workaround—although its impact on performance is unknown. The effect of AMD’s official fixes on performance is also not known currently, though in a statement to Tom’s Hardware, AMD described it as dependent on workload and PC configuration.
In any case, if you own a Zen 2 CPU, you’ll want to put a reminder on your calendar to check for this mitigation. Applying it promptly will be important for your online security.
This article was updated on 7/24/2023 at 3:30pm to include details about AMD’s plans for Zenbleed mitigation and firmware update schedule.