Compliance Impact

CVE-2025-54505 is a low-severity transient execution vulnerability that may allow a local, user-privileged attacker to leak data via the floating point divisor unit, potentially resulting in loss of confidentiality.

While the vulnerability involves potential data leakage, AMD assesses the real-world risk as limited due to the constrained nature of the leaked data and the infrequent use of floating-point operations in privileged code.

There is no specific information provided about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2025-54505 is a transient execution vulnerability found in multiple generations of AMD CPUs, specifically involving the floating-point divisor unit.

This flaw, called Floating Point Divider State Sampling (FP-DSS), allows a local user with some privileges to potentially leak sensitive data by exploiting transient execution behaviors in the floating-point divider hardware.

The vulnerability affects systems regardless of whether Simultaneous Multithreading (SMT) is enabled.

AMD considers the real-world risk limited because the leaked data is constrained and floating-point operations are infrequently used in privileged code.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability may allow a local user with some privileges to leak sensitive data from the CPU's floating-point divisor unit.

Such data leakage could result in a loss of confidentiality of information processed by affected AMD CPUs.

However, the overall impact is considered low due to the limited nature of the leaked data and the low frequency of floating-point operations in privileged code.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a transient execution flaw affecting the floating-point divisor unit in certain AMD CPUs and is exploitable only by a local, user-privileged attacker. Detection typically involves checking if the system is running an affected AMD processor generation such as Zen or Zen+ architectures (e.g., AMD EPYC 7001 Series, Ryzen 3000 Series).

Since the vulnerability is hardware-based and local, network-based detection is not applicable. Detection commands would focus on identifying the CPU model and checking if the mitigation bit in the Model-Specific Register (MSR) C001_1028 is set.

• Use commands like `lscpu` or `cat /proc/cpuinfo` on Linux to identify the CPU model.
• Check the MSR register bit 9 of C001_1028 to verify if the mitigation is enabled. This can be done using tools like `rdmsr` and `wrmsr` from the msr-tools package.
• Example command to read the MSR register: `rdmsr -p <cpu> 0xC0011028` and check if bit 9 is set to 1.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability on affected AMD Zen and Zen+ processors, the recommended immediate step is to enable the mitigation at the operating system level by setting bit 9 of the Model-Specific Register (MSR) C001_1028 to 1.

AMD is working with Linux maintainers to integrate this mitigation, so applying the latest OS patches or updates from your operating system vendor is advised.

• Check for and apply any available OS-level patches or updates that address CVE-2025-54505.
• Manually set bit 9 of MSR C001_1028 to 1 using msr-tools if patches are not yet available.
• Limit local user access to systems with affected CPUs to reduce risk, as the attack requires local user privileges.

Useful 0 Not Useful 0