A new vulnerability has been discovered in AMD’s Zen 2 processors—one that allows data like passwords and encryption keys to be stolen from the CPU. Disclosed publicly this week by Google security researcher Tavis Ormandy, this bug affects consumer chips as well as server, including Ryzen 3000 series parts.

As detailed by Ormandy in a post, this “Zenbleed” vulnerability was first shared with AMD back in mid-May. It can be used to execute code through Javascript on a webpage—no physical access is needed for an affected PC. And if exploited successfully, Zenbleed allows attackers to see any CPU operation, including those happening in sandboxes or virtual machines. (You can catch the full technical rundown in Ormandy’s post, or a more summarized version in this Tom’s Hardware report.) All Zen 2 processors in the following processor families are affected:

AMD Ryzen 3000 Series ProcessorsAMD Ryzen PRO 3000 Series ProcessorsAMD Ryzen Threadripper 3000 Series ProcessorsAMD Ryzen 4000 Series Processors with Radeon GraphicsAMD Ryzen PRO 4000 Series ProcessorsAMD Ryzen 5000 Series Processors with Radeon GraphicsAMD Ryzen 7020 Series Processors with Radeon GraphicsAMD EPYC “Rome” Processors

At this time, AMD has only released a microcode update for 2nd-generation EPYC server CPUs, along with a security advisory explaining the vulnerability (which was filed as CVE-2023-20593) and its release schedule for mitigations.

For consumers, a fix will be funneled through original equipment manufacturers (e.g., Dell or HP for pre-built PCs and laptops, and motherboard manufacturers for DIY PC builds), with arrival dates set for later this year. Threadripper 3000 parts are first up for the new AGESA firmware in October, followed by Ryzen 4000 mobile processors in November. For Ryzen 3000 and 4000 desktop CPUs, as well as Ryzen 5000 and 7020 mobile processors, the target is December 2023.

If you don’t want to wait for AMD, Ormandy explains how to make a software tweak as a workaround—although its impact on performance is unknown. The effect of AMD’s official fixes on performance is also not known currently, though in a statement to Tom’s Hardware, AMD described it as dependent on workload and PC configuration.

In any case, if you own a Zen 2 CPU, you’ll want to put a reminder on your calendar to check for this mitigation. Applying it promptly will be important for your online security.

This article was updated on 7/24/2023 at 3:30pm to include details about AMD’s plans for Zenbleed mitigation and firmware update schedule.

Author: Alaina Yee, Senior Editor

Alaina Yee is PCWorld’s resident bargain hunter—when she’s not covering software, PC building, and more, she’s scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.

Recent stories by Alaina Yee:

Apple’s unfixable CPU exploit: 3 practical security takeawaysIntel Core i7-14700K and Core i9-14900K review: More features, mild speed bumpThe best CPUs for gaming 2023: Top picks in all price categories