AMD Addresses New "Transient Scheduler Attack" Vulnerability

A recently disclosed vulnerability, identified as CVE-2025-36350, has brought fresh security concerns for users of a wide range of AMD processors. Dubbed the "Transient Scheduler Attack in Store Queue," this flaw could potentially allow attackers to access sensitive information.

The vulnerability was officially acknowledged as part of the July 2025 Patch Tuesday disclosures. It is described as a transient execution side-channel vulnerability that affects the processor's store queue. A successful exploit could allow a local attacker with low privileges to infer data from previous store operations, potentially leading to the leakage of privileged information.

Microsoft has included this AMD vulnerability in its Security Update Guide, indicating that mitigation requires a Windows update. The latest Windows builds now include protections against this vulnerability. AMD has also released a security bulletin, AMD-SB-7010, with further details.

This vulnerability is one of two similar "Transient Scheduler Attacks" disclosed, the other being CVE-2025-36357, which affects the L1 Data Queue. Both have been rated with a CVSS score of 5.6, signifying a medium severity. The attack complexity is considered high, requiring precise timing and specific microarchitectural conditions to be met. Importantly, exploiting these flaws requires an attacker to have prior malicious access to the machine and the ability to run arbitrary code; it is not exploitable through malicious websites.

The attack works by an attacker monitoring speculative access patterns in the CPU's internal structures. In the case of CVE-2025-36350, a load instruction might erroneously retrieve data from the CPU store queue before the correct data is available. This can cause timing variations in other instructions that a sophisticated attacker could potentially detect and use to infer sensitive data.

It is crucial to distinguish this new "Transient Scheduler Attack" from a previously disclosed vulnerability known as SQUIP (Scheduler Queue Usage via Interference Probing), identified as CVE-2021-46778. The SQUIP attack, which affects AMD Zen 1, Zen 2, and Zen 3 processors with SMT enabled, also exploits scheduler queue contention. However, SQUIP and the new "Transient Scheduler Attack" are distinct vulnerabilities with different CVE identifiers and technical underpinnings.

To mitigate the risk posed by CVE-2025-36350, users are strongly advised to apply the latest Windows updates. For more technical details and a full list of affected processors, users should refer to AMD's official security bulletin. As of early July 2025, public details were still emerging, underscoring the importance of staying updated with information from official sources.