CVE-2025-54505

Vulnerability

Overview

CVE-2025-54505, also known as Floating Point Divider State Sampling (FPDSS), is a transient execution vulnerability affecting AMD CPUs based on the Zen1 microarchitecture (Fam17h). The root cause lies in the floating point divisor unit, where microarchitectural state can be sampled during transient execution, leaking data that should be isolated between different security contexts [1].

Exploitation

Conditions

Exploitation requires local user-level privileges on a system running a vulnerable AMD Zen1 CPU. The attacker must be able to execute code on the same physical core as the victim context. No special hardware or network access is needed beyond local user access. The vulnerability can be triggered across virtual machine boundaries, as noted in the Xen Security Advisory, where an attacker in one guest may infer data belonging to other guests [1].

Impact

A successful attack allows an unprivileged local attacker to infer sensitive data from other contexts, including other virtual machines or processes. The primary impact is loss of confidentiality, as the attacker can leak data that should be protected by hardware isolation mechanisms. The CVSS score of 3.3 (Low) reflects the requirement for local access and the specific hardware dependency [1].

Mitigation

Status

AMD has acknowledged the issue and provided a security bulletin [1]. Xen has released patches for all supported versions (4.17 through 4.21.x) to mitigate the vulnerability by preventing the sampling of floating point divider state. There are no software-only workarounds; applying the hypervisor patch is the recommended resolution. Systems running other CPU architectures or newer AMD microarchitectures are not believed not affected [1].