Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Windows Central
Windows Central
Technology
Dan Rice

Many AMD Ryzen processors have been hit by 'Zenbleed' bug that leaks your data

AMD Ryzen CPU

What you need to know

  • The 'Zenbleed' bug hits AMD's Zen 2 line-up specifically.
  • The bug can leak user data in some cases.
  • No fix is coming until Q4 of this year.

Yesterday a researcher with Google Information Security named Tavis Ormandy made a post on his blog about a not previously identified vulnerability that he found to be plaguing AMD's Zen 2 processors. This is a pretty big vulnerability that includes all of the Zen 2 line-up. That means Ryzen 2000/3000//4000/5000/7020 are all hit as well as EPYC "Rome" data center processors.

This bug allows for theft of information on the processor. This would include user logins and encryption keys. Note that this does not require physical access to a computer or server system. Access could be gained through a webpage using javascript for instance and can leak about 30kb per core, per second. AMD rates this as a medium severity issue.

(Image credit: AMD)

AMD explained in straightforward terms how this process actually works:

Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.

AMD

Tavis Ormandy notes that he alerted AMD of this 'Zenbleed' vulnerability on May 15, 2023 and that AMD has already released a microcode update for the affected processors. BIOS or Operating System vendors may already have an update available that includes this microcode update. It's worth noting that there's also a possibility that this will incur a performance cost. 

The fix is mainly for AMD's EPYC "Rome" processors which only just rolled out. Ryzen 2000/3000//4000/5000/7020 consumers are unfortunately going to have to wait a lot longer, with fixes scheduled to arrive by November/December at the earliest. Tavis does provide a software workaround for those unable to apply the microcode update. 

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.