Bug#1120972: linux: CVE-2025-62626

To: Mario Limonciello <superm1@gmail.com>, 1120972@bugs.debian.org
Cc: 1120005@bugs.debian.org
Subject: Bug#1120972: linux: CVE-2025-62626
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 19 Nov 2025 06:47:18 +0100
Message-id: <[🔎] aR1Z5pJR_ev9DcDZ@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1120972@bugs.debian.org
In-reply-to: <[🔎] 176350326914.2595114.11334618482389785903.reportbug@kingboo>
References: <[🔎] 176350326914.2595114.11334618482389785903.reportbug@kingboo> <[🔎] 176350326914.2595114.11334618482389785903.reportbug@kingboo>

Control: found -1 6.12.57-1
Control: found -1 6.17.7-1
Control: fixed -1 6.18~rc6-1~exp1
Hi Mario,

On Tue, Nov 18, 2025 at 04:01:09PM -0600, Mario Limonciello wrote:
> Source: linux
> Severity: important
> Tags: patch upstream
> 
> Dear Maintainer,
> 
> CVE-2025-62626 (AKA AMD-SB-7055) is a vulnerability in the
> instruction RDSEED's 16-bit and 32-bit returns. It affects AMD Zen 5
> hardware.  As there are coordinations needed from both
> linux-firmware and linux I wanted to provide a comprehensive
> overview of everything.  [Some of these kernel patches are already
> landed in Debian - just want you to have the whole picture.]

Thank you indeed yes we are aware (and usually I would ask to not fill
explicit CVE bugs for src:linux, we have a separate tracking for that,
but here the CVE is more associated with amd64-microcode, cf.
#1120005, and mitigations exists in the Linux kernel, this my
understanding so I have slightly redacted the subject).

We follow stable series of usptream Linux in Debian so as long it is
guaranteed fixes land in the needed stable series we are done.

Here a summary though were we stand:

> https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html
> 
> There are multiple things that need to be done about this vulnerability.
> 
> 1) Updated linux-firmware microcode has been upstreamed for Zen5 hardware. This affects both client and datacenter hardware.
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=6167e5566900cf236f7a69704e8f4c441bc7212a

This is to be tracked in #1120005.
> 
> 2) A mitigation has been put in place in the kernel for when there is NOT an updated microcode available. This disables the advertisement of the RDSEED instruction to userspace and prevents it's use in the kernel. As there is no feature flag for 16, 32 and 64 it unfortunately disables all of them.
> 
> https://git.kernel.org/torvalds/c/607b9fb2ce248

In 6.18-rc4 (and backported to 6.12.58 and 6.17.8).

> https://git.kernel.org/torvalds/c/f1fdffe0afea0

In 6.18-rc5 (and already backported to 6.17.8).

> 3) Additional models need to be added to entry sign checking. In order to apply the fix for rdseed the base information for entry sign must be present.
> 
> https://git.kernel.org/torvalds/c/8a9fb5129e8e6

In 6.18-rc4 (not yet backported/released in stable series).

> https://git.kernel.org/torvalds/c/d23550efc6800

In 6.18-rc5 (already released as well in 6.12.58 and 6.17.8)

> https://git.kernel.org/torvalds/c/dd14022a7ce96

In 6.18-rc6 (but not yet in released stable series)
> 
> 4) Allow client systems to use RDSEED.
> 
> https://git.kernel.org/torvalds/c/e1a97a627cd01

In 6.18-rc6 (but not yet in released stable series).

I assume hwere needed you are making sure Greg or Sasha are picking up
the needed changes for sthe stable series?

Regards,
Salvatore

Reply to:

References:
- Bug#1120972: linux: CVE-2025-62626
  - From: Mario Limonciello <superm1@gmail.com>

Prev by Date: Processed: retitle 1120972 to Linux side mitigations for CVE-2025-62626
Next by Date: Processed: Re: Bug#1120972: linux: CVE-2025-62626
Previous by thread: Bug#1120972: linux: CVE-2025-62626
Next by thread: Processed: Re: Bug#1120972: linux: CVE-2025-62626
Index(es):
- Date
- Thread