Semiconductor giant AMD has issued a security advisory about a new class of speculative execution vulnerabilities known as Transient Scheduler Attacks (TSA). These flaws impact a wide range of AMD processors and, if exploited, could allow attackers to leak sensitive data from CPU memory.
These vulnerabilities are similar in nature to earlier speculative attacks like Meltdown, Spectre, and Foreshadow, but with different exploitation techniques.
TSA represents a speculative side-channel attack that takes advantage of how modern CPUs process instructions before they’re finalized. Under certain microarchitectural conditions, a CPU may incorrectly assume that an instruction has completed when it hasn’t — a state known as false completion.
This causes dependent instructions to execute using invalid data, which can then affect the timing of future operations. These timing differences can be measured by an attacker to infer sensitive information, such as data from the operating system kernel or other user applications.
AMD has worked closely with researchers from Microsoft and ETH Zurich, who disclosed these flaws responsibly in June 2024. The TSA issues have been assigned the following Common Vulnerabilities and Exposures (CVEs):
CVE-2024-36350 (CVSS 5.6): Allows data leakage from previous stores.
CVE-2024-36357 (CVSS 5.6): May leak data across privileged boundaries via the L1 data cache.
CVE-2024-36348 (CVSS 3.8): May allow speculative reading of control registers despite UMIP being enabled.
CVE-2024-36349 (CVSS 3.8): May expose TSC_AUX register values even when reads are disabled.
While the CVSS scores suggest moderate severity, the risk increases significantly in environments like cloud servers or shared systems where attackers might already have partial access.
AMD has confirmed that many of its popular Ryzen and EPYC processors are impacted. This includes:
Ryzen 5000, 6000, 7000, 8000 series (both desktop and mobile versions)
EPYC 3rd Gen and 4th Gen, including embedded versions
AMD Instinct MI300A
Ryzen Threadripper PRO 7000 WX-Series
AMD Ryzen Embedded V3000, 5000, 7000
If you’re using any of these CPUs, it’s critical to apply firmware or microcode updates provided by AMD and your device manufacturer.
AMD has identified two main variants of the TSA vulnerabilities:
TSA-L1: Exploits errors in how the L1 data cache uses microtags during lookups. This can allow attackers to leak data that resides in the L1 cache.
TSA-SQ: Occurs when a CPU retrieves outdated or invalid data from the store queue, exposing previous data written by other instructions.
In both cases, an attacker can infer data processed by a different application, virtual machine, or even the operating system kernel. These flaws could be abused in multi-tenant cloud environments or shared enterprise systems.
While TSA vulnerabilities pose serious privacy risks, exploiting them is not trivial. AMD states that an attacker must:
Have local access to the system.
Be able to run arbitrary code on the targeted CPU.
Repeatedly create conditions for “false completion” to leak data.
These requirements make drive-by browser attacks or remote exploits unlikely, but the threat becomes more plausible if an attacker already has a foothold in the system — for example, through malware or a compromised user account.
AMD has released microcode patches to mitigate these TSA vulnerabilities. These updates are being made available through BIOS updates or firmware updates provided by device vendors.
Users and organizations should take the following actions:
Check your system model against the list of affected processors.
Update your system BIOS or firmware as soon as patches are available.
Apply the latest operating system updates, especially for Linux and Windows systems that rely heavily on virtualization and process isolation.
Monitor your cloud environments, especially if they run on shared AMD infrastructure.
The discovery of Transient Scheduler Attacks once again highlights the ongoing challenges in CPU-level security. As processors become more complex and faster, attackers continue to find clever ways to exploit their inner workings. While AMD has acted quickly to patch the vulnerabilities, ongoing vigilance and timely updates are crucial for maintaining system security.
These vulnerabilities underscore the need for strong isolation between applications and the operating system, especially in enterprise and cloud environments.
Interesting Article : CISA Adds PHPMailer, Zimbra, and Rails Bugs to KEV Catalog Amid Active Exploitation
Pingback: CVE-2025-6558: Google Urgently Fixes Actively Exploited Chrome Zero-Day