VSA-2025-009: RDSEED Failure on AMD "Zen5"
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2025-12-18 | 2025-12-18 | π’ Low | Not available yet | - XCP-ng 8.3 |
A vulnerability on the "AMD Zen5" has been discovered. For Vates products, we classify the impact as Low, as the majority of instructions are requested on 64-bit. For details on how we assign severity levels, see our Severity Levels Explained page.
Summaryβ
AMD was notified of a bug in βZen 5β processors that may cause the RDSEED instruction to return 0 at a rate inconsistent with randomness while incorrectly signaling success (CF=1), indicating a potential misclassification of failure as success.
Impactβ
The value 0 could be returned by RDSEED when used in 16 or 32 bits, which could weaken cryptography operations and lead to compromise integrity. The Xen hypervisor itself is not impacted but dom0 (XCP-ng's control plane) and domU (your VMs) could be.
Affected Versionsβ
- XCP-ng 8.3: Affected.
Mitigationβ
Updated microcode package is provided as a convenience to help mitigate hardware vulnerabilities and other bugs. Updating your hardware's firmware remains the preferred method for updating microcode, and any newer microcode found in the firmware will take precedence over the microcode provided in XCP-ng.
We released an updated version of amd-microcode (20251203-1.1), which includes the new microcodes. Note that not all affected processors may be covered; please refer to the AMD Security Bulletin in the References section for a list of processors with available updates.
This microcode update requires the following two requirements, please read carefully before applying the update:
- Your system firmware must support the
Entrysignfix described in AMD-SB-7033, without it loading this microcode update may fail, or trigger a General Protection fault depending on your system. - Loading the new microcode format, requires an updated Xen package, available from
xenversion4.17.5-23.1onward.
Therefore, your system firmware must be recent enough (november or december 2024) and both xen must be updated before, or at the same time as amd-microcode.
Resolutionβ
The recommended solution is to update your firmware from your vendor that includes the fix for this issue.
Creditsβ
This issue was discovered by Gregory Price of Meta. We also want to thanks to Andrew Cooper of Xen Server for his support on this issue.