Bug#1120972: linux: CVE-2025-62626
Source: linux
Severity: important
Tags: patch upstream
Dear Maintainer,
CVE-2025-62626 (AKA AMD-SB-7055) is a vulnerability in the instruction RDSEED's 16-bit and 32-bit returns. It affects AMD Zen 5 hardware.
As there are coordinations needed from both linux-firmware and linux I wanted to provide a comprehensive overview of everything.
[Some of these kernel patches are already landed in Debian - just want you to have the whole picture.]
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html
There are multiple things that need to be done about this vulnerability.
1) Updated linux-firmware microcode has been upstreamed for Zen5 hardware. This affects both client and datacenter hardware.
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=6167e5566900cf236f7a69704e8f4c441bc7212a
2) A mitigation has been put in place in the kernel for when there is NOT an updated microcode available. This disables the advertisement of the RDSEED instruction to userspace and prevents it's use in the kernel. As there is no feature flag for 16, 32 and 64 it unfortunately disables all of them.
https://git.kernel.org/torvalds/c/607b9fb2ce248
https://git.kernel.org/torvalds/c/f1fdffe0afea0
3) Additional models need to be added to entry sign checking. In order to apply the fix for rdseed the base information for entry sign must be present.
https://git.kernel.org/torvalds/c/8a9fb5129e8e6
https://git.kernel.org/torvalds/c/d23550efc6800
https://git.kernel.org/torvalds/c/dd14022a7ce96
4) Allow client systems to use RDSEED.
https://git.kernel.org/torvalds/c/e1a97a627cd01
Reply to: