AMD confirms critical security risk for many Zen 5 CPUs

AMD has detailed in a new security bulletin a critical CPU vulnerability that has been labeled "AMD-SB-7055," and can be traced to the RDSEED hardware-based random number generator.

2

Modern CPUs include hardware instructions such as RDRAND and RDSEED to generate random numbers directly from silicon. These random numbers are then utilized by software and the operating system for cryptographic functions such as generating encryption keys, tokens, or secure session IDs.

For example, RDRAND produces pseudo-random numbers that are from an entropy pool, while RDSEED produces raw entropy, otherwise known as the "seed", which is then used to construct cryptographically secure random number generators.

Cryptography relies on unpredictability, meaning RDSEED needs to return a truly random value every time, and if it doesn't, that opens the door for critical security vulnerabilities, as cryptographic keys that are used for encryption, authentication, or signing could then be predictable or even reconstructible. Furthermore, attacks could even decrypt sensitive data, forge signatures, or infiltrate secure lines of communication.

AMD recently disclosed vulnerability AMD-SB-7055, which affects the RDSEED instruction on Zen 5 CPUs, including Ryzen 9000, Threadripper 9000, Ryzen AI 300, and Ryzen Z2. Specifically, 16-bit and 32-bit versions of RDseed may incorrectly return all zeroes. Even worse, they signal "success," meaning software assumes the value it has been provided, which is all zeroes, to be valid. In a nutshell, the software is being given all zeroes and the system thinks it's a randomly generated number.

AMD has recognized the issue and is deploying microcode fixes via AGESA updates, which are scheduled to roll out on November 25, 2025, with full mitigation expected by January 2026.