In context: When they were first revealed in 2018, the Spectre and Meltdown CPU vulnerabilities primarily targeted Intel and some non-x86 processors. Now, AMD has identified new potential attack vectors that affect a wide range of its own CPUs, and they appear to be exclusive to AMD hardware.
AMD researchers have disclosed four new security vulnerabilities affecting the company's processors, warning that they could potentially be exploited through two distinct transient scheduler attacks.
According to AMD's advisory, these attacks involve the execution timing of x86 instructions under specific microarchitectural conditions. In practice, the flaws could be abused to leak sensitive data, similar to how Spectre and Meltdown operated in the past.
The vulnerabilities are tracked as CVE-2024-36350, CVE-2024-36357, CVE-2024-36348, and CVE-2024-36349. The first two are rated as "medium" severity, while the latter two are considered "low" severity. AMD emphasizes that these flaws pose limited risk, as they are extremely complex to exploit and require local access to the targeted system.
According to AMD, TSA vulnerabilities cannot be triggered remotely (e.g., via a web browser) and would need to be executed repeatedly to extract meaningful data. The company believes TSA is only viable if an attacker can run a malicious application or virtual machine on a physical device. In a worst-case scenario, the flaws could expose data from the operating system kernel – information that could, at least in theory, be leveraged to escalate privileges, install persistent malware, or carry out further attacks.
AMD discovered the TSA vulnerabilities while investigating a Microsoft report concerning microarchitectural data leaks. Mitigation efforts require a combination of updated microcode and operating system or hypervisor-level patches. One of the proposed mitigation strategies – frequent execution of the VERW instruction – may have a performance impact, prompting AMD to advise system administrators to assess whether it's necessary for their specific environments.
The company has already released new firmware updates to OEM partners to address the two medium-severity vulnerabilities. However, no patches are currently planned for the two lower-severity issues. Operating system vendors – primarily Microsoft – are expected to release additional updates to fully address the flaws.
Although AMD maintains that the risk posed by TSA is relatively low, the sheer breadth of affected hardware could be concerning for both consumers and enterprise users. The vulnerabilities were successfully demonstrated on EPYC, Ryzen, Instinct, and even older Athlon processors.
In short: the risk is small but the reach is wide, so patch accordingly.