AMD has revealed four new vulnerabilities that "may affect" some of its Zen-based processors. The company published documentation about the vulnerabilities on its website and a lengthy list of the affected processors. The company is pushing out new AGESA code to motherboard manufacturers so they can apply it to new BIOSes. If your CPU is on the list, you should see if an updated BIOS is available.
The newly revealed vulnerabilities could affect a wide range of AMD's Zen processors, spanning the original Zen CPUs up to the current Zen 4 Ryzen 7000 chips. In its announcement, AMD says researchers discovered the vulnerabilities, and AMD has now assessed them and issued mitigation guidelines. The company believes some of the findings were based on computers using outdated firmware or software. As always, people need to update their software, operating system, and firmware as often as possible to avoid these situations.
The information included in the security update describes each of the vulnerabilities. Though each bug is slightly different, they are all related to the Serial Peripheral Interface (SPI) that connects the CPU to the flash chip on the motherboard. AMD says the vulnerabilities could allow a person to run arbitrary code on a system (yikes), perform a denial of service attack, or escalate privileges on compromised systems. The CPUs affected span AMD's entire range of processors from Epyc data center chips to Ryzen mobile CPUs.
Regarding who will be getting updates and when, it's hard to say right now. AMD has to issue new code to motherboard companies, and they have to turn that into a new BIOS, which can take some time. As Tom's Hardware notes, AM5 boards look to be patched for all four vulnerabilities, and AMD's latest Threadripper chips also seem safe. However, some older sockets like AM4 boards are not yet offering a new BIOS with the updated AGESA code, which hints at AMD's priorities when mitigating these vulnerabilities.
