AMD has disclosed four new processor vulnerabilities that could allow attackers to steal sensitive data from enterprise systems through timing-based side-channel attacks. The vulnerabilities, designated AMD-SB-7029 and known as Transient Scheduler Attacks, affect a broad range of AMD processors, including data center EPYC chips and enterprise Ryzen processors.
The disclosure has immediately sparked a severity rating controversy, with leading cybersecurity firm CrowdStrike classifying key flaws as “critical” threats despite AMD’s own medium and low severity ratings. This disagreement highlights growing challenges enterprises face when evaluating processor-level security risks.
The company has begun releasing Platform Initialization firmware updates to Original Equipment Manufacturers while coordinating with operating system vendors on comprehensive mitigations.
Timing attacks exploit processor optimization features
The vulnerabilities emerged from AMD’s investigation of a Microsoft research report titled “Enter, Exit, Page Fault, Leak: Testing Isolation Boundaries for Microarchitectural Leaks.” AMD discovered what it calls “transient scheduler attacks related to the execution timing of instructions under specific microarchitectural conditions.”
These attacks exploit “false completions” in processor operations. When CPUs expect load instructions to complete quickly but conditions prevent successful completion, attackers can measure timing differences to extract sensitive information.
“In some cases, an attacker may be able to use this timing information to infer data from other contexts, resulting in information leakage,” AMD stated in its security bulletin.
AMD has identified two distinct attack variants that enterprises must understand. TSA-L1 attacks target errors in how the L1 cache handles microtag lookups, potentially causing incorrect data loading that attackers can detect. TSA-SQ attacks occur when load instructions erroneously retrieve data from the store queue when required data isn’t available, potentially allowing inference of sensitive information from previously executed operations, the bulletin added.
The scope of affected systems presents significant challenges for enterprise patch management teams. Vulnerable processors include 3rd and 4th generation EPYC processors powering cloud and on-premises data center infrastructure, Ryzen series processors deployed across corporate workstation environments, and enterprise mobile processors supporting remote and hybrid work arrangements.
CrowdStrike elevates threat classification despite CVSS scores
While AMD rates the vulnerabilities as medium and low severity based on attack complexity requirements, CrowdStrike has independently classified them as critical enterprise threats. The security firm specifically flagged CVE-2025-36350 and CVE-2025-36357 as “Critical information disclosure vulnerabilities in AMD processors,” despite both carrying CVSS scores of just 5.6.
According to CrowdStrike’s threat assessment, these vulnerabilities “affecting Store Queue and L1 Data Queue respectively, allow authenticated local attackers with low privileges to access sensitive information through transient scheduler attacks without requiring user interaction.”
This assessment reflects enterprise-focused risk evaluation that considers operational realities beyond technical complexity. The combination of low privilege requirements and no user interaction makes these vulnerabilities particularly concerning for environments where attackers may have already gained initial system access through malware, supply chain compromises, or insider threats.
CrowdStrike’s classification methodology appears to weigh the potential for privilege escalation and security mechanism bypass more heavily than the technical prerequisites. In enterprise environments where sophisticated threat actors routinely achieve local system access, the ability to extract kernel-level information without user interaction represents a significant operational risk regardless of the initial attack complexity.
Microsoft coordinates cross-vendor response
According to CrowdStrike, “Microsoft has included these AMD vulnerabilities in the Security Update Guide because their mitigation requires Windows updates. The latest Windows builds enable protections against these vulnerabilities.”
The coordinated response reflects the complexity of modern processor security, where vulnerabilities often require simultaneous updates across firmware, operating systems, and potentially hypervisor layers. Microsoft’s involvement demonstrates how processor-level security flaws increasingly require ecosystem-wide coordination rather than single-vendor solutions.
Both Microsoft and AMD assess exploitation as “Less Likely,” with CrowdStrike noting “there is no evidence of public disclosure or active exploitation at this time.” The security firm compared these flaws to previous “speculative store bypass vulnerabilities” that have affected processors, suggesting established mitigation patterns can be adapted for the new attack vectors.
AMD’s mitigation strategy involves what the company describes as Platform Initialization firmware versions that address the timing vulnerabilities at the processor level. However, complete protection requires corresponding operating system updates that may introduce performance considerations for enterprise deployments.
Enterprise implications beyond traditional scoring
The CrowdStrike assessment provides additional context for enterprise security teams navigating the complexity of processor-level vulnerabilities. While traditional CVSS scoring focuses on technical attack vectors, enterprise security firms like CrowdStrike often consider broader operational risks when classifying threats.
The fact that these attacks require only “low privileges” and work “without requiring user interaction” makes them particularly concerning for enterprise environments where attackers may have already gained initial access through other means. CrowdStrike’s critical classification reflects the reality that sophisticated threat actors regularly achieve the local access prerequisites these vulnerabilities require.
Microsoft’s assessment that “there is no known exploit code available anywhere” provides temporary reassurance, but enterprise security history demonstrates that proof-of-concept code often emerges rapidly following vulnerability disclosures.
The TSA vulnerabilities also coincide with broader processor security concerns. Similar to previous side-channel attacks like Spectre and Meltdown, these flaws exploit fundamental CPU optimization features, making them particularly challenging to address without performance trade-offs.
Related reading:
Hardware vulnerabilities: A guide to the threats
12 wide-impact firmware vulnerabilities and threats
Researchers bypass Intel’s Spectre fixes — six years of CPUs at risk>
No Responses