AMD's Zen 2 chips have a security bug that's getting patched between now and 2024

pcgamer.com:

A security vulnerability has been uncovered in AMD processors built with the Zen 2 architecture. Spotted by a Google researcher, the so-called 'Zenbleed' vulnerability opens the door to a potential attacker and threatens the possibility of exposing sensitive information. Don't worry, there is a fix, but us gamers will have to wait around a little longer than our server-side pals to get hold of it.

Zenbleed affects all Zen 2 processors, which includes Ryzen 3000/4000, Threadripper 3000, Ryzen 4000/5000/7020 mobile, and Epyc Rome generations.

The vulnerability, as described by AMD in a security bulletin, occurs «Under specific microarchitectural circumstances, a register in 'Zen 2' CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.»

The vulnerability is listed as «Medium» severity by AMD, however, its CVE (CVE-2023-20593) is not currently rated.

The vulnerabilities' discoverer, Tavis Ormandy, goes into greater detail on how the exploit works in their blog post. They believe the reason they discovered the bug, as opposed to AMD in post-silicon validation, is because they don't come from an electrical engineering background, oddly enough. They thank a technique called 'fuzzing' for sniffing the bug out, which is a way of testing out weird and unexpected data on a computer to expose unlikely architectural behaviours.

Ormandy notes that the vulnerability would work on your average machine but also virtual machines, sandboxes, containers, processors, «whatever!»

Clearly that's a big deal for large cloud providers, who take security extremely seriously.

Speaking to Tom's Hardware