Critical RDSEED flaw in AMD Zen 5 processors compromises cryptographic random number generation
Take action: If you have AMD Zen 5 processors (Ryzen 9000 series, EPYC 9005, Threadripper 9000, or Ryzen AI 300 series), contact your system manufacturer for BIOS updates to for the RDSEED flaw. Until the update is available, advise your developers and configure your systems to use only 64-bit RDSEED instructions or force disabling of rdseed in your boot parameters/BIOS as a temporary workaround.
Learn More
AMD is reporting a hardware vulnerability affecting its Zen 5 processor lineup that compromises the integrity of cryptographic random number generation.
The flaw is tracked as CVE-2025-62626 (CVSS score from 7.2 to 9.8), impacts the RDSEED instruction that systems rely upon to generate cryptographically secure random numbers for encryption keys, authentication tokens, session identifiers, and other critical security functions.
The vulnerability is caused by a defect in how AMD Zen 5 processors implement the RDSEED instruction. Under certain conditions of insufficient entropy, the instruction returns a value of zero while incorrectly signaling success through the carry flag (CF=1). This creates a dangerous scenario where software applications believe they have received a valid cryptographically secure random number when they have actually obtained a predictable zero value. The result are weak encryption keys, predictable authentication tokens, or compromised security protocols without any indication that the random number generation has failed.
AMD has determined that the 16-bit and 32-bit forms of the RDSEED instruction on Zen 5 processors are affected by this vulnerability. The 64-bit form of RDSEED is not affected by this issue. Affected products include:
- AMD EPYC 9005 Series processors,
- AMD Ryzen 9000 Series Desktop processors,
- AMD Ryzen 9000HX Series processors,
- AMD Ryzen AI 300 Series processors,
- AMD Ryzen AI Z2 Series Extreme processors,
- AMD Ryzen AI Max 300 Series processors,
- AMD Ryzen Threadripper 9000 processors,
- AMD Ryzen Threadripper PRO 9000 WX-Series processors,
- AMD Ryzen Z2 Series Extreme processors,
- AMD EPYC Embedded 4005 Series processors,
- AMD EPYC Embedded 9005 Series processors,
- MD Ryzen Embedded 9000 Series processors.
AMD is actively working to patch this vulnerability through firmware and microcode updates distributed to Original Equipment Manufacturers and is delivering patches between late October and late November 2025.
Until microcode patches are deployed through BIOS updates from system manufacturers, AMD recommends implementing software workarounds:
- System administrators can prioritize using the 64-bit form of RDSEED exclusively, as this variant is not affected by the vulnerability.
- Alternatively, organizations can mask the RDSEED capability from software detection by modifying boot parameters, such as adding "clearcpuid=rdseed" to the boot command line, or using the "-rdseed" option on the QEMU command line for virtual machines. A
- Implementing software logic to treat any RDSEED return value of zero as equivalent to a failure indication (CF=0), requiring applications to retry the RDSEED instruction until a non-zero value is returned with a success indication.
Organizations running affected Zen 5 systems should prioritize applying these updates once they become available through their Original Equipment Manufacturers. System administrators should contact their OEM vendors for BIOS updates specific to their products.
