A recently disclosed bug in many of AMD’s newer consumer, workstation, and server processors can cause the chips to leak data at a rate of up to 30 kilobytes per core per second, writes Tavis Ormandy, a member of Google’s Project Zero security team. Executed properly, the so-called “Zenbleed” vulnerability (CVE-2023-20593) could give attackers access to encryption keys and root and user passwords, along with other sensitive data from any system using a CPU based on AMD’s Zen 2 architecture.
The bug allows attackers to swipe data from a CPU’s registers. Modern processors attempt to speed up operations by guessing what they’ll be asked to do next, called “speculative execution.” But sometimes the CPU guesses wrong; Zen 2 processors don’t properly recover from certain kinds of mispredictions, which is the bug that Zenbleed exploits to do its thing.
“AMD is not aware of any known exploit of the described vulnerability outside the research environment,” the company told Tom’s Hardware. Networking company Cloudflare also says there is “no evidence of the bug being exploited” on its servers.
Since the vulnerability is in the hardware, a firmware update from AMD is the best way to fully fix it; Ormandy says it is also fixable via a software update, but it “may have some performance cost.” The bug affects all processors based on AMD’s Zen 2 architecture, including several Ryzen desktop and laptop processors, EPYC 7002-series chips for servers, and Threadripper 3000- and 3000 Pro WX-series CPUs for workstations.
AMD has already issued a firmware update mitigating the issue for servers running the EPYC 7002 chips—arguably the most important of the patches since a busy server running multiple virtual machines is a more lucrative target for hackers than individual consumer PCs.
AMD says that “any performance impact will vary depending on workload and system configuration” but hasn’t provided additional details.
When will I get a patch?
The Zen 2 architecture first came to consumer systems around four years ago in the form of the AMD Ryzen 3000 series; the Ryzen 5 3600 was especially popular among PC builders. But AMD’s habit of mixing-and-matching processor architectures in recent CPU generations means that there are some Zen 2 chips sprinkled across the Ryzen 4000, 5000, and 7000 lineups as well, affecting some new systems as well as older ones.
|CPU||Released||Planned fix||AGESA version with fixes|
|Ryzen 3000 (desktop)||Mid-2019||December 2023||ComboAM4v2PI_1.2.0.C|
|Ryzen 4000G (desktop)||Mid-2020||December 2023||ComboAM4v2PI_1.2.0.C|
|Ryzen 4000 (laptop)||Early-mid 2020||November 2023||RenoirPI-FP6_1.0.0.D|
|Ryzen 5700U/5500U/5300U (laptop)||Early 2021||December 2023||CezannePI-FP6_18.104.22.168|
|Ryzen 7020 (laptop)||Late 2022||December 2023||MendocinoPI-FT6_22.214.171.124|
|Ryzen Threadripper 3000||Late 2019||October 2023||CastlePeakPI-SP3r3 1.0.0.A|
|Ryzen Threadripper Pro 3000WX||Mid-2020||November/December 2023||CastlePeakWSPI-sWRX8 1.0.0.C/ChagallWSPI-sWRX8 126.96.36.199|
|EPYC 7002||Mid-2019||Patch available||RomePI 1.0.0.H|
If you’re using Ryzen desktop processors, all Ryzen 3000-series and Ryzen 4000G-series chips (but not Ryzen 3000G, which uses an older Zen version) are vulnerable to Zenbleed. AMD plans to release a firmware fix by December, though your motherboard or PC manufacturer will be responsible for distributing the update.
Laptops are a bit trickier. Most Ryzen 4000-series laptop CPUs use Zen 2, and AMD plans to have an update ready for them in November. Many of the Ryzen 5000-series laptop CPUs transitioned to Zen 3, but the Ryzen 7 5700U, Ryzen 5 5500U, and Ryzen 3 5300U continued to use Zen 2. And the Ryzen 7020-series CPUs released in late 2022 for budget systems also use Zen 2. AMD plans to release an update for the 5000- and 7000-series chips in December.
AMD plans to release an update for Threadripper 3000-series systems in October and fixes for Threadripper Pro 3000WX-series systems in November and December.