Skip to main content

AMD Confirms Zen 5 RNG Flaw: When ‘Random’ Isn’t Random Enough

1 month 2 weeks ago
by George Whittaker

AMD has officially confirmed a high-severity security vulnerability in its new Zen 5–based CPUs, and it’s a nasty one because it hits cryptography right at the source: the hardware random number generator.

Here’s a clear breakdown of what’s going on, how bad it really is, and what you should do if you’re running Zen 5.

What AMD Just Confirmed

AMD’s security bulletin AMD-SB-7055, now tracked as CVE-2025-62626, describes a bug in the RDSEED instruction on Zen 5 processors. Under certain conditions, the CPU can:

  • Return the value 0 from RDSEED far more often than true randomness would allow

  • Still signal “success” (carry flag CF=1), so software thinks it got a good random value

The issue affects the 16-bit and 32-bit forms of RDSEED on Zen 5; the 64-bit form is not affected.

Because RDSEED is used to feed cryptographically secure random number generators (CSPRNGs), a broken RDSEED can poison keys, tokens, and other security-critical values.

AMD classifies the impact as:

Loss of confidentiality and integrity (High severity).

How the Vulnerability Works (In Plain English) What RDSEED Is Supposed to Do

Modern CPUs expose hardware instructions like RDRAND and RDSEED:

  • RDRAND: Gives you pseudo-random values from a DRBG that’s already been seeded.

  • RDSEED: Gives you raw entropy samples suitable for seeding cryptographic PRNGs (it should be very close to truly random).

Software like TLS libraries, key generators, HSM emulators, and OS RNGs may rely directly or indirectly on RDSEED to bootstrap secure randomness.

What’s Going Wrong on Zen 5

On affected Zen 5 CPUs:

  • The 16-bit and 32-bit RDSEED variants sometimes return 0 much more often than a true random source should.

  • Even worse, they simultaneously report success (CF=1), so software assumes the value is fine rather than retrying.

In cryptographic terms, this means:

  • Entropy can be dramatically reduced (many key bits become predictable or even fixed).

  • Keys or nonces derived from those values can become partially or fully guessable.

Go to Full Article
George Whittaker

OpenAI CFO Says Company Isn't Seeking Government Backstop, Clarifying Prior Comment

1 month 2 weeks ago
OpenAI CFO Sarah Friar said late Wednesday that the AI startup is not seeking a government backstop for its infrastructure commitments, clarifying previous comments she made on stage during the Wall Street Journal's Tech Live event. From a report: At the event, Friar said OpenAI is looking to create an ecosystem of banks, private equity and a federal "backstop" or "guarantee" that could help the company finance its investments in cutting-edge chips. But in a LinkedIn post late Wednesday, Friar softened her stance. "I used the word 'backstop' and it muddied the point," Friar wrote. "As the full clip of my answer shows, I was making the point that American strength in technology will come from building real industrial capacity which requires the private sector and government playing their part." OpenAI has inked more than $1.4 trillion of infrastructure deals in recent months to try and build out the data centers it says are needed to meet soaring demand. The agreements have raised questions around how the company can afford to make such massive commitments.

Read more of this story at Slashdot.

msmash