Critical AMD Zen CPU Microcode Vulnerability Allows Malicious Code Injection

2025-02-03
Critical AMD Zen CPU Microcode Vulnerability Allows Malicious Code Injection

Google's security team discovered a critical vulnerability in AMD Zen CPUs (Zen 1-4). An attacker with local administrator privileges can bypass insecure signature verification to load malicious microcode patches, compromising the confidentiality and integrity of confidential computing workloads protected by AMD SEV-SNP and potentially the Dynamic Root of Trust for Measurement (DRTM). AMD released a fix on December 17th, urging users to verify TCB values for SNP. Further details and tools will be released on March 5th by Google to allow time for remediation.