Potential Risk of CVE

AMD responds to ETH Zurich researchers’ technical findings (11th Aug 2025)

Leave a comment

Preface: AMD K10 architecture, first launched in 2007, is not considered valid for modern computing needs. While it was a significant step in AMD’s processor development, it has been superseded by newer architectures like Zen, which offer significant performance and efficiency improvements.

Background: The “AMD Zen stack engine” generally refers to the AMD Zen microarchitecture and its various generations used in AMD processors. Zen utilizes a modular structure, with the basic building block being the CPU Complex (CCX). Each CCX contains multiple cores (e.g., four cores in early Zen generations) that share a large L3 cache.

Technical details: The stack engine is a feature that has a speculative stack address delta register in the front-end that is updated directly with push/pop instructions, and that delta is dispatched with the stack memory uop to be added to the original stack address register when doing address generation in the load/store units.

The stack engine is not predictive in nature and as such does not open up new transient execution windows. However, it might still leak information under speculation. The following two main scenarios were analyzed:

First, Researchers from ETH Zurich checked whether the stack engine offset is reset when the CPU corrects a branch misprediction. We find that the offset is reset to zero on Zen 3-4 while Zen 5 appears to retain an offset. We were not able to conclusively determine the effect on the other architectures due to excessive noise introduced by the misspeculation.

Second, Reseachers from ETH Zurich aimed to detect stack engine sync operations that occur only on the speculative path that are latersquashed. Using performance monitor counters (PMCs), we confirm that sync operations are indeed also observable under transient execution on Zen 3-5. An attacker might theoretically combine this behavior with a classical indirect branch target injection to build a call-depth disclosure gadget in a cross-thread attack. However, we note that such an attack would only slightly expand the capabilities of a cross-thread attacker.

Workaround: AMD continues to recommend software developers employ existing best practices including constant time algorithm and avoid secret-dependent data access or control flows to help mitigate the potential vulnerability.

Official announcement: Please refer to the link for detailshttps://www.amd.com/en/resources/product-security/bulletin/amd-sb-7045.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.