A new vulnerability affecting AMD’s Zen 2 processor line – which includes popular processors like the budget Ryzen 5 3600 – has been discovered that can be exploited to steal sensitive data such as passwords and encryption keys. Google security researcher Tavis Ormandy revealed the “Zenbleed” bug (filed under CVE-2023-20593) on his blog this week after reporting the vulnerability to AMD on May 15.

The entire Zen 2 product stack is affected by the vulnerability, including all AMD Ryzen 3000/4000/5000/7020 series processors, Ryzen Pro 3000/4000 series, and AMD’s EPYC “Rome” data center processors. AMD has since published its expected release schedule to patch the exploit, with most firmware updates not expected to arrive until the end of this year.

According Cloudy, the Zenbleed exploit does not require physical access to a user’s computer to attack their system and can even be executed remotely via Javascript on a web page. If executed successfully, the exploit allows data to be transferred at a rate of 30 KB per core, per second. It’s fast enough to steal sensitive data from any software running on the system, including virtual machines, sandboxes, containers and processes, according to Ormandy. As TomsHardware note, the flexibility of this exploit is of particular concern for cloud-hosted services, as it could potentially be used to spy on users in cloud instances.

Worse still, Zenbleed can fly under the radar because it doesn’t require any system calls or special privileges to operate. “I don’t know of any reliable technique to detect exploitation,” Ormandy said. The bug shares some similarities with the Spectrum class of CPU vulnerabilities in that it uses flaws in speculative executions, but is much easier to execute – which makes it more like Merger family of exploits. The full technical breakdown regarding the Zenbleed vulnerability can be found at Ormandy’s blog.

AMD has already released a microcode patch for the second-generation Epyc 7002 processors, though the next updates for the remaining processor lines aren’t expected until October 2023 at the earliest. The company hasn’t disclosed whether these updates will impact system performance, but a statement provided by AMD to TomsHardware suggests this is a possibility:

Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploits of the described vulnerability outside of the research environment.

Ormandy “strongly recommends” affected users to apply AMD’s microcode update, but also provided instructions on his blog for a software workaround that can be applied while waiting for vendors to include a fix in future BIOS updates. Ormandy warns that this workaround could also impact system performance, but at least it’s better than having to wait for a firmware update.