AMD and Google’s Security Team have disclosed a major microcode vulnerability affecting all AMD EPYC processors built on the Zen 1 through Zen 4 architectures. That means EPYC 7001 (Naples), 7002 (Rome), 7003 (Milan), and 8004/9004 (Genoa/Bergamo/Siena) series chips are all impacted. The vulnerability, assigned CVE-2024-56161 with a CVSS severity score of 7.2, stems from a Microcode Signature Verification flaw that could allow attackers to execute malicious microcode on affected CPUs.
Importantly, AMD’s announcement does not mention any impact on consumer Ryzen CPUs, including desktop and laptop processors, as well as PRO and Threadripper models. As of now, only EPYC server processors appear affected, but given AMD’s history with security flaws—such as the Ryzenfall vulnerabilities from 2018, which similarly targeted firmware integrity—it’s understandable that users might be wary. Whether this issue has any broader implications for AMD’s consumer lineup remains to be seen.
Google plans to release additional details about the exploit on March 5, but a proof-of-concept payload is already available on the Google Security Team GitHub page. AMD has also published its own security advisory, listing all affected processors and detailing the required mitigation steps, which involve updating microcode and firmware. Users and administrators should apply the latest patches as soon as possible. More information can be found on AMD’s official security page here.