AMD Microcode Flaws Expose Data Leakage and RDSEED Entropy Risks
Ubuntu security updates address three critical AMD processor vulnerabilities that could allow local attackers to leak privileged information and compromise cryptographic randomness. Organizations running AMD-based infrastructure should prioritize patching.
TL;DR
- Two AMD data-leakage vulnerabilities (CVE-2024-36350, CVE-2024-36357) allow inference of previous store operations, risking exposure of sensitive kernel and privileged data
- Zen 5 processors with RDSEED instruction fail to generate sufficient entropy, enabling attackers to predict random values used in cryptographic operations
- All three flaws require local access but can undermine confidentiality and integrity of security-critical systems
- Microcode updates are available via Ubuntu security notices; administrators should apply patches to affected AMD systems immediately
Ubuntu has released security updates addressing three vulnerabilities in AMD processors that could allow local attackers to compromise system confidentiality and integrity. The flaws span data-leakage issues affecting multiple AMD processor generations and a critical entropy weakness in Zen 5 RDSEED implementations.
These vulnerabilities are particularly concerning for multi-tenant cloud environments, containerized workloads, and systems where privilege isolation is essential. Organizations relying on AMD-based infrastructure should review affected systems and apply microcode updates promptly.
Data Leakage via Store-to-Load Forwarding
- CVE-2024-36350 and CVE-2024-36357 allow attackers to infer data from previous memory stores through speculative execution side-channels
- Researchers from multiple institutions discovered the flaw affects AMD processor memory ordering guarantees
- Local attackers could potentially extract kernel memory, cryptographic keys, or other privileged information
- Exploitation requires code execution on the target system but does not require elevated privileges
RDSEED Entropy Degradation in Zen 5
- CVE-2025-62626 affects AMD Zen 5 processors with RDSEED instruction support, causing insufficient entropy generation
- Attackers can influence or predict values returned by RDSEED, undermining cryptographic randomness
- Compromised entropy directly impacts the security of TLS handshakes, key generation, and other randomness-dependent operations
- This vulnerability is particularly severe in security-sensitive applications relying on hardware random number generation
Remediation and Impact
- Ubuntu has released microcode updates to address all three vulnerabilities; systems require reboot to apply changes
- Affected systems include multiple AMD processor families; administrators should check Ubuntu security notices for specific model compatibility
- Cloud providers and data centers running AMD infrastructure should prioritize deployment of patches
- Organizations should audit systems for local access controls to reduce attack surface while patches are being deployed
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.