Many AMD Ryzen processors have been hit by 'Zenbleed' bug that leaks your data

AMD Ryzen CPU

What you need to know

  • The 'Zenbleed' bug hits AMD's Zen 2 line-up specifically.
  • The bug can leak user data in some cases.
  • No fix is coming until Q4 of this year.

Yesterday a researcher with Google Information Security named Tavis Ormandy made a post on his blog about a not previously identified vulnerability that he found to be plaguing AMD's Zen 2 processors. This is a pretty big vulnerability that includes all of the Zen 2 line-up. That means Ryzen 2000/3000//4000/5000/7020 are all hit as well as EPYC "Rome" data center processors.

This bug allows for theft of information on the processor. This would include user logins and encryption keys. Note that this does not require physical access to a computer or server system. Access could be gained through a webpage using javascript for instance and can leak about 30kb per core, per second. AMD rates this as a medium severity issue.

AMD EPYC processor sat in its socket

(Image credit: AMD)

AMD explained in straightforward terms how this process actually works:

Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.

AMD

Tavis Ormandy notes that he alerted AMD of this 'Zenbleed' vulnerability on May 15, 2023 and that AMD has already released a microcode update for the affected processors. BIOS or Operating System vendors may already have an update available that includes this microcode update. It's worth noting that there's also a possibility that this will incur a performance cost. 

The fix is mainly for AMD's EPYC "Rome" processors which only just rolled out. Ryzen 2000/3000//4000/5000/7020 consumers are unfortunately going to have to wait a lot longer, with fixes scheduled to arrive by November/December at the earliest. Tavis does provide a software workaround for those unable to apply the microcode update. 

Dan Rice
Contributor

Dan is a tech contributor on Windows Central. A long time Xbox gamer and former partner on Microsoft's retired streaming platform Mixer, he can often be found crying into a cup of tea whilst thinking about Windows Phone. You can follow Dan on Twitter where you will find him talking about tech, Formula 1 and his latest victories in Battle Royale games.