Report Claims AMD Ryzen, EPYC CPUs Contain 13 Security Flaws

Not open for further replies.


CTS-Labs provided AMD with only a 24-hour notice.
This is extremely shady. What could be the purpose of making such an announcement, except to spread FUD in the market and put the brakes on AMDs sales momentum?

These guys are most likely funded by Intel or individuals with a strong financial stake in Intel.
Covered themselves with that disclaimer big time.

Whilst thats sensible for a firm like cts (nier a necessity) I would say the whole thing has very very suspicious undertones.

I hope they have good lawyers if theyre wrong , bringing asus into the mix by name/brand aswell is a very risky decision.
Mar 13, 2018
The lack of comprehensive tech detail of these flaws compared to Spectre and Meltdown, even in the white paper, plus the lack of notice to AMD to look into the claim of flaws, sounds fishy to me. It was not released in good faith and the disclaimer of "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports." speaks for itself. Economic interest. They likely have friends trading the stock and pushing conveniently for a short situation, seems like manipulation. Walks like fake news, talks like fake news...What is it?


Sep 1, 2012
Sounds like a rumor if there has been no evidence or sources listed. And given the short 24 hour notice it makes the whole thing a bit shady. Possibly to manipulate stock prices? Hopefully it's all false, or the vulnerabilities are easy/quick to fix.


There's already a lot out there on debunking these overblown claims.

Interestingly, they registered the domain 19 days ago, so they surely could have started informing AMD of some of the issues back then.

One conjecture I've read is that it could be a simple stock market play - bet on AMD's share price to drop, then release a bunch of bad news.

I hope AMD has some grounds to sue them on the basis of misleading statements.


Jun 29, 2006
Shame on Tom's for not having a huge, bold type, disclaimer at the top of this stating there is no real data to back this up.
Not even their tired 'grain of salt'


Jul 31, 2015
I was like LMAO at this crap....This is pure fud at it's best. All they or who ever is paying them to do this wants is AMD stocks to fall and sales drop off as well seems a bit timely that this happens just before AMD's new CPU launch/ refresh of Ryzen in April. I am thinking Intel or someone that has a stake in Intel is behind this. Problem is the damage is already done because all news sites and tubers will cover this like it is the Holy Gospel and plat the seed of fud into everyone's minds. By the way if this was true they would have been forced to give AMD the proper amount of time to get their crap together not this 24 hour crapola...I really hope who ever is behind this get sued big time and go to jail.


May 22, 2009
Quote: Possibly to manipulate stock prices?

That is exactly what it was and from todays headlines for AMD and initial sell off you can see that it worked for a while. But then common sense and analysis showed that this was purely a figment of CTS-Labs imagination.

The 24 hour notice along with the web site clearly shows the skeeviness of CTS-Labs.
Israel huhh? Does Intel have a division in israel that developed the Core processor?? Essentially the basis of Intel's modern processors. This is highly suspicious given the amount of time AMD had to respond.


Apr 27, 2013
Need to flash the bios, need a signed driver, need administrator access.....

if you have any of that you already have the keys to the kingdom and have access to everything.

This all seems extremely fishy. 24 hours notice, the domain name, the production videos, media briefing at the same time or possibly before notifying amd, etc, etc. It seems like this was a planned hit piece.

Note i do not excuse security flaws. If there are legit flaws they need to be fixed. However, I'm personaly not worried about any flaws that require root access, at that point the battle is already lost.
This doesn't pass the smell test. For something like this the vendor, AMD, should have at least 30 days notice before anything is announced. I put no merit in this at all. It almost feels like something a competitor would do as a back room deal to spread FUD.

EDIT1: The CFO of CTS-Labs is a hedge fund manager... Anyone short a lot of AMD stock today?

EDIT2: Check this out the company photos are photoshopped stock photos(Credit Singuy8888 on Anandtech forums):
It seems possible until the statement that the flaws have existed for 6 years. Ryzen is an entirely new architecture and chipset and hasn't even been available for 6 years. While it's true that CPU development takes years, until release, AMD are the only ones that know anything about the arch and its vulnerabilities.

IIRC, Ryzen isn't based off bulldozer and is entirely new. Unlike Intels offerings which are based on Core2 and have been tweaked and shrunken. Even Coffeelake is a heavily tweaked Core 2 uarch but with additional cores and smaller process. So major flaws affect multi generations of CPU's


Mar 11, 2016
simple hit piece to affect short term stock price. all of those "vulnerabilities" are around the PSP, which is not even active in most cases.

but hey it worked prices dropped for a few hours more than enough time to make millions with the right setup ...
It's possible that the flaws could be real, but who's to say that it wasn't someone like Intel who actually discovered them, perhaps while researching spectre and meltdown's affects on other processors, then sat on the data for months before paying a small company to make a sudden announcement about it shortly before AMD's next generation of processors launch. It does seem suspicious that a company would only provide a day's notice before making an announcement about their findings, not even enough time for AMD to properly look into the matter and determine whether there's a real concern, let alone be able to announce any course of action about it.


Aug 30, 2017
No address, no land line, 4 cheap, Israelis (drinking Intel milk?), being set up in 2017 (likely after Intel's "Meltdown inside" in June), ..., but just a website ($4.95/month) and a mobile number +1-585-233-0321 :-D ... :-D

Intel, the CPU God = 4 cheap, Israelis drinking the God's milk :-D ... :-D

tomshardware --> tomsfairytale?


Feb 12, 2007
We all know this is ill-intended, but we also are tech people. This goes into the regular news, common folks will be scared and will back away from AMD. Fake news works wonders in social media these days.

I hope it's false, and if it is, I hope AMD sues them into oblivion.
Mar 13, 2018
Need to flash the bios, need a signed driver, need administrator access.....

Security flaws that require root access? I'm not sure Intel (Read: CTS-Labs) understand what security means...

Giving 24 hours notice, when you are required to provide at least 90 days notice. Where was the good faith in that? For Spectre/Meltdown researchers gave a 200 days notice.. THAT is good faith...!

Shame on Tomsfairytale for propagating this without any reasonable warning. FFS these guys don't even have evidence of what they're saying... :))



Ryzen may be new but AMD's partnership with ASMedia for chipsets isn't. Since some of the flaws are about the ASMedia chipsets, those can certainly be several years older than Ryzen.


Hey guys, Just discovered yet another AMD vulnerability.

They are vulnerable to hammers. Normal operation of any modern AMD processor can be disrupted if a hammer is used to impart a measured impulse directly to the integrated memory controller. The effect is permanent and the flaw has been known for over 15 years. Physical access is necessary unless used in conjunction with PAYSOMEBODYTODOIT. No known security software can fix or prevent this style of attack. My security researchers have confusingly named this new architectural flaw BUYINTELNOW.

Sure but this finding is not legitimate on any level. No real security researcher would give a chip maker 24 hours notice. The standard is 90 days notice or more for hardware flaws ie 6 months for Spectre/Meltdown. This is a plain an simple targeted hit. I doubt it was a competitor as it won't stand up long so its likely a stock market related scam. See my post above they are using stock green screen photos, the links on the site are utter garbage, the site is almost entirely other people's content ie a lot of copy paste and links to document/standards, and the fact they gave no notice this just smells profoundly terrible. Until these are validated by a 3rd party I think everyone should treat these as non credible findings.
Not open for further replies.