AMD disclosed **CVE-2025-62626 (AMD-SB-7055)**, a high-severity vulnerability in its **Zen 5 processors** affecting the **RDSEED instruction**, critical for cryptographic random number generation. The flaw, scoring **7.2 on CVSS**, arises from improper entropy handling in **16-bit and 32-bit implementations**, causing the instruction to return **zero values while falsely signaling success (CF=1)**. This misleads software into using **predictable, non-random data**, compromising cryptographic keys, security tokens, and system integrity.A **privileged local attacker** could exploit this to degrade randomness quality, enabling **prediction attacks** on security mechanisms. While the **64-bit RDSEED variant remains unaffected**, AMD advises temporary workarounds: switching to 64-bit RDSEED, masking the instruction via `clearcpuid=rdseed`, or retrying on zero returns. Patches are scheduled for **late 2025**, with **EPYC 9005 Series updates in October** and **Ryzen 9000 Series in November**.The vulnerability was **prematurely exposed** on the Linux kernel mailing list before AMD’s formal disclosure, underscoring risks in uncoordinated vulnerability reporting. Organizations using **Zen 5-based systems** must prioritize patches to prevent cryptographic failures and potential **system-wide security breaches**.
Source: https://cyberpress.org/amd-zen-5-rdseed-vulnerability/
TPRM report: https://www.rankiteo.com/company/amd
"id": "amd1092810110325",
"linkid": "amd",
"type": "Vulnerability",
"date": "10/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Organizations and individuals '
'using AMD Zen 5-based systems '
'(EPYC 9005, Ryzen 9000 Series, '
'etc.)',
'industry': 'Technology/Hardware',
'location': 'Santa Clara, California, USA',
'name': 'Advanced Micro Devices (AMD)',
'size': 'Large (Global Enterprise)',
'type': 'Semiconductor Manufacturer'}],
'attack_vector': ['Local',
'Privilege Escalation (if attacker gains sufficient '
'privileges)'],
'customer_advisories': ['Apply patches per the published schedule (EPYC: late '
'Oct 2025; Ryzen: late Nov 2025).',
'Use 64-bit RDSEED or workarounds if immediate '
'mitigation is required.',
'Avoid security-critical operations on unpatched '
'systems where possible.'],
'description': 'AMD has disclosed a vulnerability affecting the random number '
'generation capabilities of its Zen 5 processors. The issue, '
'tracked as CVE-2025-62626 and identified as AMD-SB-7055, '
'impacts the RDSEED instruction, a critical component '
'responsible for generating cryptographic random numbers. The '
'flaw stems from improper handling of insufficient entropy in '
'AMD CPUs, where RDSEED can return zero values while '
'incorrectly signaling success (CF=1). This misleads software '
'into consuming insufficiently random values, potentially '
'compromising cryptographic operations. The vulnerability '
'affects only the 16-bit and 32-bit forms of RDSEED, with the '
'64-bit variant remaining unaffected. A local attacker with '
'sufficient privileges could exploit this to degrade '
'randomness quality, enabling prediction attacks on '
'cryptographic keys and security tokens.',
'impact': {'brand_reputation_impact': ["Potential erosion of trust in AMD's "
'hardware security'],
'operational_impact': ['Potential compromise of cryptographic '
'operations (e.g., key generation, security '
'tokens)',
'Risk of prediction attacks on '
'cryptographic keys',
'Degraded randomness quality in '
'security-critical applications'],
'systems_affected': [{'components': ['RDSEED instruction (16-bit '
'and 32-bit implementations)'],
'models': ['EPYC 9005 Series',
'Ryzen 9000 Series Desktop',
'Ryzen 9000HX Series',
'Ryzen AI Processors'],
'product_line': 'AMD Zen 5 Processors'}]},
'investigation_status': 'Ongoing (Patches in development, workarounds '
'available)',
'lessons_learned': ['Importance of coordinated vulnerability disclosure '
'(initial surfacing on Linux kernel mailing list before '
'formal AMD notification)',
'Need for robust entropy handling in hardware-based '
'cryptographic primitives',
'Value of providing immediate workarounds while permanent '
'fixes are developed'],
'post_incident_analysis': {'corrective_actions': ['Microcode updates to fix '
'RDSEED behavior in '
'affected implementations.',
'AGESA updates for '
'firmware-level '
'mitigations.',
'Enhanced testing for '
'entropy handling in future '
'processor designs.'],
'root_causes': ['Improper entropy handling in '
'RDSEED instruction (16-bit/32-bit '
'implementations).',
'Incorrect success signaling '
'(CF=1) when returning zero '
'values.',
'Lack of validation for randomness '
'quality in hardware-level RNG.']},
'recommendations': ['Apply microcode patches as soon as they become available '
'(see scheduled release dates).',
'Implement recommended workarounds (64-bit RDSEED, '
'clearcpuid, or zero-value retry logic) until patches are '
'applied.',
'Prioritize patching for systems performing '
'security-critical operations (e.g., key generation, '
'encryption).',
"Monitor AMD's security advisories for updates on patch "
'availability and additional mitigations.',
'Review and test cryptographic applications for reliance '
'on RDSEED, especially in 16-bit/32-bit contexts.'],
'references': [{'source': 'AMD Security Bulletin (AMD-SB-7055)'},
{'source': 'Linux Kernel Mailing List (Initial Disclosure)'},
{'source': 'CVE Details (CVE-2025-62626)'}],
'response': {'communication_strategy': ['Public disclosure via security '
'advisory',
'Coordinated vulnerability disclosure '
'with Linux kernel community',
'Patch release timeline '
'communication'],
'containment_measures': ['Switch to 64-bit RDSEED implementation '
'(unaffected)',
'Mask RDSEED capability via '
'`clearcpuid=rdseed` boot parameter or '
'QEMU command-line options',
'Treat RDSEED returns of zero as '
'failures and retry until valid values '
'appear'],
'incident_response_plan_activated': True,
'remediation_measures': ['Microcode patches for affected '
'processors (scheduled rollout)',
'AGESA mitigations for EPYC 9005 '
'Series'],
'third_party_assistance': ['Original Equipment Manufacturers '
'(OEMs) for patch distribution']},
'stakeholder_advisories': ['OEMs (for patch distribution)',
'Enterprise customers using EPYC 9005 Series '
'processors',
'Consumers using Ryzen 9000 Series processors',
'Linux kernel community and open-source '
'developers'],
'title': 'AMD Zen 5 RDSEED Instruction Vulnerability (CVE-2025-62626 / '
'AMD-SB-7055)',
'type': ['Vulnerability', 'Cryptographic Flaw', 'Hardware Security Issue'],
'vulnerability_exploited': {'amd_id': 'AMD-SB-7055',
'cve_id': 'CVE-2025-62626',
'cvss_score': 7.2,
'description': 'Improper handling of insufficient '
'entropy in RDSEED instruction '
'(16-bit and 32-bit '
'implementations only). Returns '
'zero values while incorrectly '
'signaling success (CF=1), '
'misleading software into using '
"predictable 'random' data.",
'severity': 'High'}}