AMD Discloses New CPU Vulnerabilities in Transient Scheduler Attacks
AMD has issued a warning about a newly discovered class of microarchitectural vulnerabilities, dubbed Transient Scheduler Attacks (TSA), that affect a broad range of its processors, including desktop, mobile, and server chips. These flaws arise from speculative scheduling behavior within the CPU, where timing differences during instruction execution can allow attackers to infer sensitive data from other processes or privilege levels.
The vulnerabilities were identified following collaborative research with academic and industry partners who examined speculative execution and isolation boundaries in modern CPUs. The issues are tracked under four distinct entries, each rated between low to medium severity based on Common Vulnerability Scoring System (CVSS) metrics. Two of the more serious variants may enable attackers to leak privileged information, such as kernel data, by observing timing patterns associated with instruction sequences. The remaining two are considered less critical, although they could still expose internal register or timestamp information.
AMD emphasizes that exploitation of these TSA vulnerabilities requires a high level of access—typically the ability to run arbitrary code on the targeted system. In real-world scenarios, this could occur via malware infections, implanted virtual machines, or other local access methods. This complexity contributes to the company’s lower severity ratings, but security firms have cautioned that in high-threat enterprise environments, these flaws could present significant risks even at lower technical ratings.
In response, AMD has begun rolling out microcode updates via BIOS/firmware channels, targeting a long list of affected processors—from third- and fourth-generation EPYC server chips and Ryzen desktop/mobile CPUs to specialized Instinct accelerator and Threadripper processors. Some platforms also require operating system patches or configuration changes to fully mitigate the timing side channels. For those unable to apply updates immediately, AMD acknowledges potential workarounds involving low-level instructions, though these may impact system performance.
Security teams are urged to coordinate with hardware vendors, system integrators, and OS providers to ensure that all mitigation layers—firmware, microcode, and software updates—are fully deployed. Though there is no evidence of active exploitation so far, and attacks would likely require extensive repetition to yield meaningful data, the parallels to past speculative execution flaws like Spectre and Meltdown underline the importance of prompt and comprehensive patching to safeguard sensitive data.