AMD will issue a microcode patch for a high-severity vulnerability that could weaken cryptographic keys across Epyc and Ryzen CPUs.
The flaw, tracked as CVE-2025-62626 (7.2), affects Zen 5 chips running on 16-bit and 32-bit architectures. The bug involves RDSEED, a function that generates high-quality random numbers used by security keys.
RDSEED provides the true entropy that’s required by apps generating high-strength cryptographic keys.
An attacker with local privileges could manipulate the values returned by RDSEED, which in some cases return 0 instead of a random number, and treat it as an acceptable output. It means the cybercrim could theoretically target applications reliant upon the values returned by the RDSEED function and exploit the flaw to decrypt data or access credentials.
However, given the local access requirement an attacker would already have significant system control.
AMD said that, while it works on a microcode patch behind the scenes, those using affected chips have a few workarounds to choose from. They can opt to use the 64-bit version of RDSEED where available, which is not affected by CVE-2025-62626.
Users can also prevent applications from discovering the RSEED function, either by adding clearcpuid=rdseed to the boot command line, or for a VM, with the -rdseed option on the qemu command line.
Patches are already available for Epyc 9005 series chips (TurinPI 1.0.0.8); they were released on October 28.
A recent Linux kernel update (6.18-rc4) also attempted to fix the bugs, although the founder of CachyOS said the update is preventing many of the distro’s users from entering their GUIs.
For other affected lines, users will have to wait. AMD is aiming to have fixes available for Ryzen and Epyc Embedded 9005 series processors later this month. Updates for Epyc Embedded 4005 series and Ryzen Embedded 9000 series chips won’t be here until January.
The issues were first discovered by Gregory Price, a Linux kernel engineer at Meta, who alerted those subscribed to the Linux kernel mailing list in October, although AMD only released the CVE and security advisory in the last week. ®