CVE-2025-62626

NameCVE-2025-62626
DescriptionImproper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1120005

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
amd64-microcode (PTS)bullseye/non-free3.20240820.1~deb11u1vulnerable
bullseye/non-free (security)3.20250311.1~deb11u1vulnerable
bookworm/non-free-firmware3.20250311.1~deb12u1vulnerable
bookworm/non-free-firmware (security)3.20230719.1~deb12u1vulnerable
forky/non-free-firmware, sid/non-free-firmware, trixie/non-free-firmware3.20250311.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
amd64-microcodesource(unstable)(unfixed)1120005

Notes

[trixie] - amd64-microcode <ignored> (Only affects AMD Zen 5 processors, limited support; problematic microcode update)
[bookworm] - amd64-microcode <ignored> (Only affects AMD Zen 5 processors, limited support; problematic microcode update)
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html
Workaround in Linux kernel by diabling RDSEED on AMD Zen 5 Turin:
https://lore.kernel.org/lkml/20251016182107.3496116-1-gourry@gourry.net/
https://gitlab.com/kernel-firmware/linux-firmware/-/commit/e637542fa8b9e0a88b0b2885072eea7df3737969
https://gitlab.com/kernel-firmware/linux-firmware/-/commit/646d97f5320d0f9038be6c5b9927305cafb0c1d7
Mitigations on Linux side: https://bugs.debian.org/1120972
Search for package or bug name: Reporting problems