AMD Zen 5 RDSEED bug puts Ryzen 9000 security under the spotlight

Zen 5 has barely settled onto retail shelves and it already has a serious security headache. AMD has confirmed a high severity bug in the RDSEED instruction on Zen 5 processors, logged as AMD-SB-7055. In short, some Zen 5 chips can return a stream of zeros from RDSEED while still reporting success. If your crypto stack trusts those values, you can end up with predictable keys. That is about as bad as it sounds for anything that relies on hardware entropy.

What AMD-SB-7055 actually breaks

RDSEED is meant to provide high quality random values pulled from a hardware entropy source. Software calls RDSEED, checks a flag, and if the call succeeds it uses that value to seed a pseudo random generator or to help build crypto keys. On Zen 5, the 16 bit and 32 bit forms of RDSEED can sometimes return zero in a non random way while still raising the carry flag that signals success. The 64 bit form is not affected.

That means code that does everything right on paper can still end up with weak keys. Libraries and kernels that rely on RDSEED may consume those zero values as if they were real entropy. Over time you get a key space that is easier to guess, and a cleaner path for an attacker who can observe or influence those failures.

Which CPUs are hit

AMD’s own bulletin and follow up coverage all point to Zen 5 everywhere, not a single SKU. That includes:

Ryzen 9000 desktop CPUs, including X and X3D parts.
Ryzen AI 300 series mobile chips.
Ryzen Z2 series for handhelds and embedded devices.
Threadripper 9000 and Threadripper Pro 9000 workstation parts.
EPYC 9005 data center CPUs.

EPYC 9005 already has mitigations in place. Desktop, mobile, Threadripper and handheld parts are getting fixes through AGESA based firmware updates that board vendors will wrap into BIOS releases. AMD is targeting late November 2025 for consumer Zen 5 updates, with some platforms running into early 2026.

How the bug was found

This did not come out of a staged lab demo. A Meta engineer hit the issue in the real world and posted details to the Linux kernel mailing list. By hammering RDSEED on one thread while putting heavy pressure on memory with another, they could reliably force RDSEED to spit out zeros that still reported success. The Linux kernel community reacted fast and pushed patches that disable RDSEED on all Zen 5 chips until a proper fix lands.

It is also not AMD’s first RDSEED headache. A Zen 2 based APU family, code named Cyan Skillfish, had a different RDSEED failure that led to the same mitigation on Linux. This time the stakes are higher because Zen 5 is AMD’s flagship desktop and server core for the next few years.

Why this matters more than a usual erratum

Most CPU errata fall into two buckets. Either they are obscure corner cases almost nobody will hit, or they are performance issues that you can paper over with a tiny loss in speed. AMD-SB-7055 sits in a nastier class. It takes a feature that developers rely on for security and quietly makes it untrustworthy.

Plenty of modern crypto libraries and operating systems use RDSEED to seed random number generators. If those seeds are biased or predictable, you weaken TLS sessions, disk encryption, secure messaging and anything else layered on top. The attack is not trivial, but the direction of travel is bad. This should be treated as a loss of confidentiality and integrity rather than a theoretical paper cut.

What AMD is doing to fix it

AMD’s security bulletin lays out a straightforward mitigation plan. Microcode updates are being delivered through AGESA, and vendors are rolling those into BIOS updates across desktop, mobile and server boards. EPYC 9005 fixes are already out. Ryzen 9000, Threadripper 9000, Ryzen AI 300 and Ryzen Z2 are expected to get their fixes first, with other platforms following afterward.

On the software side, AMD recommends using the 64 bit form of RDSEED, which is not affected, or falling back to software based random number generators until microcode is updated. Kernel and library maintainers are going further and simply disabling RDSEED on Zen 5 for now. That is blunt but safe.

What you should do if you own a Zen 5 system

If you have already built a Ryzen 9000 desktop, dropped Zen 5 into a work box or deployed Threadripper 9000, the checklist looks like this:

Watch for BIOS updates from your motherboard vendor that mention AGESA updates or AMD-SB-7055, and install them once they are stable.
Keep your OS updated so you get the kernel side mitigations. Linux distros are already disabling RDSEED on Zen 5. Windows will pick up fixes through normal patch channels.
For servers and workstations running custom crypto code, check whether you call RDSEED directly. If you do, switch to 64 bit RDSEED or a trusted software fallback until microcode is known good.
For new builds, this is not a reason to avoid Zen 5, but it is a good reminder to keep firmware updated from day one.

Does this change the Zen 5 value story

In the short term, it is more of a reputational dent than a reason to jump platform. Zen 5 still lands well on performance, efficiency and AM5 longevity. Most desktop users will never see a real world exploit tied to AMD-SB-7055, especially once BIOS updates land. On the data center side it is more sensitive, since a lot of high value keys live on those machines, but EPYC tends to get patches fastest and operators are used to treating microcode updates as part of life.

The more interesting point is pattern, not panic. Zen 5 arrives after a run of CPU side channel and random number generator issues across multiple vendors. From a security point of view, RDSEED and similar instructions are now high value targets in their own right. Vendors need tighter validation, and software stacks should treat hardware RNG as fallible rather than sacred. Zen 5’s first bug is a painful reminder of that.

Bottom line for PC hardware people

If you are sat there with a brand new Ryzen 9 9950X build, the answer is not to rip it out. The answer is boring. Keep your board BIOS updated, keep your OS patched, and let the mitigations land. The platform is still strong, AM5 is still a sane long term bet, and the performance numbers that made you pick Zen 5 have not changed.

What has changed is the awareness that even the latest flagship core can ship with a random number generator that is not as random as it should be. For anyone who lives at the pointy end of crypto, that is a cue to review assumptions. For the rest of us, it is another chapter in the long story of “no, your CPU is not magic, keep the firmware up to date.”