AMD has confirmed a high-severity security vulnerability in the RDSEED instruction on its Zen 5-based CPUs, labeled AMD-SB-7055, which generates potentially predictable cryptographic keys. The issue affects server and consumer processors, prompting mitigations through firmware updates starting November 25.
The vulnerability causes the RDSEED instruction to return a value of zero in a non-randomized pattern while incorrectly indicating success to the system. This failure impacts the 16-bit and 32-bit formats of the instruction, but the 64-bit version remains unaffected, according to AMD’s assessment. RDSEED serves as a hardware-based true random number generator on modern CPUs, including those from AMD and Intel. It collects entropy from environmental sources to produce unpredictable bit patterns stored in CPU registers, essential for generating secure cryptographic keys in various applications.
In contrast, the related RDRAND instruction operates as a faster deterministic random number generator, producing patterns that may exhibit higher predictability compared to RDSEED’s entropy-driven output. Applications relying on RDSEED for randomness face risks when the instruction fails, as predictable outputs could enable attackers to compromise encryption by anticipating key patterns derived from zeros.
A Meta engineer first identified the flaw and reported it on the Linux kernel mailing list, with Phoronix covering the announcement in mid-October. The discovery involved reproducing the issue reliably through a specific test: one CPU thread repeatedly executed the RDSEED instruction while another thread consumed approximately 90 percent of available memory. This setup highlighted the instruction’s consistent return of zero values under stress conditions.
Following the report, developers released a Linux kernel patch a few days later to disable the RDSEED instruction entirely on all Zen 5 chips, preventing potential exploitation of the vulnerability. This measure ensures that systems using Linux avoid the faulty random number generation until hardware-level fixes are applied.
The problem echoes a prior incident with AMD’s Zen 2-based APUs, codenamed Cyan Skillfish, which experienced a similar but distinct RDSEED failure. In that case, the Linux community responded by disabling RDSEED functionality on those processors to maintain security. AMD’s Zen architecture has thus encountered recurring challenges with this random number generation feature across generations.
AMD has already deployed mitigations for its EPYC 9005 server CPUs, which incorporate the Zen 5 architecture. For consumer-oriented Zen 5 products, including the Ryzen 9000 series desktop processors, AI Max 300 series, Threadripper 9000 series high-end desktop chips, and Ryzen Z2 series mobile processors, updates are scheduled for release on November 25. Additional mitigations will follow through January 2026, varying by specific CPU operating mode to address the issue comprehensively.
To resolve the vulnerability at the firmware level, AMD plans to distribute AGESA microcode updates soon, applicable to all Zen 5 CPUs. These updates will correct the RDSEED behavior directly. In the interim period before these updates reach individual systems, AMD advises users to rely on the unaffected 64-bit RDSEED format where possible or to implement software-based fallback mechanisms for random number generation.
