Tavis Ormandy, a Google security researcher, found the flaw, and he notified AMD about it on May 15. He just made it public, and based on the length of time it took Tom’s Hardware to reach out to AMD for a reaction, it appears that AMD wasn’t quite ready for the announcement. It affects all Epyc data center CPUs and Zen 2 processors from the 3000/4000/5000 family, including Threadripper 3000.
A register in “Zen 2” CPUs may not be written to 0 successfully under specified microarchitectural conditions, according to AMD’s security alert. This could result in data from another process or thread being saved in the YMM register, giving an attacker access to potentially sensitive data.
Due to a vulnerability, an attacker may be able to gather private information from a Zen 2 CPU at a rate of 30 kilobytes per core, per second, from any software that is currently running on the CPU. Local programmes, virtual machines, and cloud instances are all included in this. Encryption keys and user login information are examples of data that could be compromised.
Although it sounds terrible, AMD only rates this threat as “medium” in their security alert regarding the vulnerability. It may be because it informed Tom’s Hardware that it has not heard of this exploit being exploited anywhere other than a research environment.