According to ZDNet, AMD has confirmed a critical bug affecting its new Zen 5 processors that compromises the chip’s pseudorandom number generator. The issue was discovered by Meta engineer Gregory Price and affects the RDSEED instruction, which produces a value of zero with no error indication about 10% of the time when it should be generating random numbers. This bug specifically impacts the 16-bit and 32-bit versions of RDSEED across multiple processor families including Ryzen AI 300 Series, Ryzen 9000 Series, and EPYC 9005 Series. AMD is rolling out fixes through AGESA and microcode updates, with EPYC 9005 Series patches already available and other processors scheduled to receive updates between now and January 2025. The 64-bit version of RDSEED remains unaffected and can serve as an interim workaround.
Why this matters for security
Here’s the thing about random numbers in computing – they’re supposed to be, well, random. When your processor starts spitting out predictable zeros instead of actual randomness, you’ve got a serious problem. This isn’t just some academic issue either. Cryptographic systems, secure communications, encryption keys – they all depend on having truly unpredictable random numbers. Basically, it’s like having a casino where the dice come up zero 10% of the time, but the dealer doesn’t tell anyone. And the system thinks everything’s fine!
Think about what happens when security protocols can’t trust their random number source. Keys become predictable, encrypted data becomes vulnerable, and entire security models start crumbling. The fact that this happens without any error flag makes it even worse – systems will happily use these compromised zeros thinking they’re getting proper entropy. It’s the computing equivalent of a silent failure, and those are always the most dangerous kind.
Who should be worried about this
For regular users browsing the web or playing games? Probably not a huge immediate concern. But enterprises running security-sensitive applications, cloud providers using EPYC servers, and developers building cryptographic software? They need to pay attention. The bug specifically affects the lower-bit versions of RDSEED, which are commonly used in various security implementations.
And here’s the kicker – this isn’t AMD’s first rodeo with processor bugs. Remember Spectre and Meltdown? Those affected multiple vendors, but AMD has had its share of architecture-level issues over the years. The good news is that the company seems to be responding quickly this time around. The patches are already rolling out, and the 64-bit workaround gives developers some breathing room while waiting for proper fixes.
What happens now
AMD’s handling this through the standard channels – security bulletins, microcode updates, and working with motherboard manufacturers to push AGESA updates. The timeline stretching into January 2025 means some systems will remain vulnerable for a few months, but critical infrastructure and enterprise customers will likely prioritize these patches.
Meanwhile, the technical details are out there for anyone who wants to dive deep. Gregory Price’s original mailing list post and the Linux kernel patches show this is being taken seriously at the operating system level too. The real question is how many systems in the wild are actually using the affected instructions in security-critical ways. My guess? More than we’d like to think.
