Control: found -1 6.12.57-1 Control: found -1 6.17.7-1 Control: fixed -1 6.18~rc6-1~exp1 Hi Mario,
On Tue, Nov 18, 2025 at 04:01:09PM -0600, Mario Limonciello wrote: > Source: linux > Severity: important > Tags: patch upstream > > Dear Maintainer, > > CVE-2025-62626 (AKA AMD-SB-7055) is a vulnerability in the > instruction RDSEED's 16-bit and 32-bit returns. It affects AMD Zen 5 > hardware. As there are coordinations needed from both > linux-firmware and linux I wanted to provide a comprehensive > overview of everything. [Some of these kernel patches are already > landed in Debian - just want you to have the whole picture.] Thank you indeed yes we are aware (and usually I would ask to not fill explicit CVE bugs for src:linux, we have a separate tracking for that, but here the CVE is more associated with amd64-microcode, cf. #1120005, and mitigations exists in the Linux kernel, this my understanding so I have slightly redacted the subject). We follow stable series of usptream Linux in Debian so as long it is guaranteed fixes land in the needed stable series we are done. Here a summary though were we stand: > https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html > > There are multiple things that need to be done about this vulnerability. > > 1) Updated linux-firmware microcode has been upstreamed for Zen5 hardware. > This affects both client and datacenter hardware. > > https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=6167e5566900cf236f7a69704e8f4c441bc7212a This is to be tracked in #1120005. > > 2) A mitigation has been put in place in the kernel for when there is NOT an > updated microcode available. This disables the advertisement of the RDSEED > instruction to userspace and prevents it's use in the kernel. As there is no > feature flag for 16, 32 and 64 it unfortunately disables all of them. > > https://git.kernel.org/torvalds/c/607b9fb2ce248 In 6.18-rc4 (and backported to 6.12.58 and 6.17.8). > https://git.kernel.org/torvalds/c/f1fdffe0afea0 In 6.18-rc5 (and already backported to 6.17.8). > 3) Additional models need to be added to entry sign checking. In order to > apply the fix for rdseed the base information for entry sign must be present. > > https://git.kernel.org/torvalds/c/8a9fb5129e8e6 In 6.18-rc4 (not yet backported/released in stable series). > https://git.kernel.org/torvalds/c/d23550efc6800 In 6.18-rc5 (already released as well in 6.12.58 and 6.17.8) > https://git.kernel.org/torvalds/c/dd14022a7ce96 In 6.18-rc6 (but not yet in released stable series) > > 4) Allow client systems to use RDSEED. > > https://git.kernel.org/torvalds/c/e1a97a627cd01 In 6.18-rc6 (but not yet in released stable series). I assume hwere needed you are making sure Greg or Sasha are picking up the needed changes for sthe stable series? Regards, Salvatore
