The latest in a long series of security bugs for CPUs, Zenbleed is yet another thing that needs to be patched. Here’s what you need to know.
Source: AMD
After the Spectre and Meltdown CPU exploits were publicized in 2018, the computing world has been pretty vigilant about finding security bugs and loopholes in processors, and in the past five years, researchers have found a ton. On July 24, yet another exploit was publicly disclosed after first being reported in May. This time, it’s specific to AMD processors built on the Zen 2 architecture, and it’s dubbed termed “Zenbleed“. Here’s everything you need to know about Zenbleed and what it means for the world.
How does Zenbleed work?
Zenbleed is very similar to other hardware-based security bugs like Spectre in that it exploits the speculative ability of CPUs. In order to improve performance, CPUs speculate or predict the next thing they need to do, and since Spectre was first disclosed, the world has learned that speculation can be very insecure if done improperly.
Registers in a CPU can hold a small amount of data, typically an instruction, a storage address, or any other kind of small data. XMM registers in an x86_64 architecture (so, any of the affected Zen 2 processors) can only be used for making calculations on data, not addressing memory. This is extended to 256 bits in the case of YMM registers, and 512 bits in ZMM registers. In this case, XMM refers to the lower 128 bits of the total 512 bits of the ZMM registers.
These registers are incredibly useful for lots of different things, including standard C functions. The vulnerability abuses speculative execution and branch mispredictions to essentially spit out a random piece of data from memory, but that data can be from anything. Standard C library functions like strlen, which measures the length of a string, can use these registers for moving data around, and it’s possible that, by chance, a password that you use could have unluckily fallen into one of these registers.
Branch prediction and speculative execution broadly refer to when your computer performs operations that are not yet needed but will likely be needed in subsequent cycles. It’s often done in times when your system has free resources, as it speeds up overall processing when instructions or data would otherwise not yet be ready for the CPU. If the work done is not needed, it’s typically discarded and the processor can jump back to where it needs to in order to execute the next, correct, instruction. When it does this, this is called a branch misprediction.
Where a problem arises is in the vzeroupper instruction, which zeroes out the bits in position 128 and higher of YMM and ZMM registers. This is done particularly when transitioning between AVX and legacy SSE code, as it eliminates performance penalties caused by false dependencies while also avoiding an effect that’s similar to integer promotion in C.
If the processor speculatively executes a vzeroupper instruction, there is no proper rollback. However, the affected Ryzen processors can be forced to recover from it, though incorrectly. Once in this state, the program currently executing can then spy on those registers in real time, viewing data flowing throughout the system at any given time.
What CPUs are impacted by Zenbleed, and when will patches be available?
As stated before, only AMD CPUs based on the Zen 2 architecture are known to be vulnerable to the Zenbleed security bug, but the Zen 2 architecture has powered CPUs in three series, making it messy to figure out which CPUs are vulnerable and which aren’t. Here’s a table that should make it all clear:
| Impacted CPUs | |
|---|---|
| Ryzen 3000 Series | All except APUs (e.g. Ryzen 3 3200G) |
| Epyc Rome | All |
| Ryzen 4000 Series | All |
| Ryzen 5000 Series | Only the 5300U, 5500U, and 5700U |
| Ryzen 7000 Series | Only 7020 APUs (e.g. Ryzen 3 7320U) |
This is a pretty large amount of AMD processors, and these are just the ones that have been confirmed so far. Zen 2 is also used in the APUs that power the Steam Deck, Xbox Series S and X, and PS5. We haven’t heard either way if these CPUs are also affected, but judging by the way this exploit works, I’d be surprised if they weren’t also impacted. It seems unlikely that AMD patched it in the Xbox and PS5 since 7020 series chips, which are newer, are also impacted.
At the time of writing, microcode has been submitted to the Linux kernel that will patch this vulnerability, and your operating system or BIOS may already have an update that fixes this problem.
What does this mean for computers that use vulnerable CPUs?
This is a tricky thing to answer because not all computers are equal. For normal people who are just using gaming desktops and laptops, you probably don’t need to be that worried. This is a pretty sophisticated exploit and although it’s public knowledge now, there are no known examples of an attacker using Zenbleed to hack into anything yet.
However, the stakes are much higher for datacenters and important people handling sensitive information on their own computers. There’s a reason why AMD has been very clear that Epyc Rome was patched before the vulnerability was made public: lots of sensitive information is being handled by Epyc CPUs, and it would be a disaster if any CPUs powering large-scale servers were successfully attacked. Linux kernel 6.4.6 is already released and fixes this vulnerability by rolling in the official microcode patch from AMD. It seems likely that Microsoft will incorporate something similar into Windows.
Worryingly, AMD’s official BIOS patches may not roll out for several months, in which case, there’s a “chicken bit” that you can set if you’re on a Linux or FreeBSD machine. On Linux machines, you can use msr-tools and execute the following command.
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (19)))On FreeBSD, you can also use the following.
cpucontrol(8)Disabling SMT is not enough to mitigate the vulnerability.
One thing that makes Zenbleed particularly bad is that Zen 2 was one of AMD’s most popular CPU architectures. It kickstarted AMD’s comeback in 2019 and 2020, and lots of people, companies, and organizations still use computers with Zen 2 processors in 2023, especially Epyc Rome CPUs. This isn’t as bad as Spectre (which affects pretty much all pre-2019 CPUs) and Meltdown (which affects pretty much all pre-2019 Intel CPUs), but it’s still fairly widespread.
Security patches for vulnerabilities like this also often result in a performance penalty, but AMD told Tom’s Hardware that this penalty will depend on the CPU and the workload. Speculation and prediction have been pretty important to CPU performance, so it’s unclear if any potential fix will see a significant reduction in performance.