AMD-SB-7052 — Zen 2 µop-cache corruption / SoC isolation LPE (CVSS 7.3 CVSS 4.0)

AMD disclosed AMD-SB-7052 (CVE-2025-54518, CVSS 7.3 on the CVSS 4.0 scale, CWE-1189 Improper Isolation of Shared Resources on System-on-Chip) affecting Zen 2-based processor models on 2026-05-12, with NCSC-NL flagging the advisory on 2026-05-15 (AMD Product Security, 2026-05-12 · NCSC-NL NCSC-2026-0158, 2026-05-15). The flaw allows a local attacker with code execution on the target system to corrupt the CPU operation (µop) cache and thereby cause instructions to execute at a higher privilege level than intended, enabling local privilege escalation and, in virtualisation contexts, potential degradation of hypervisor-level isolation. Mitigation is delivered as microcode integrated into the May 2026 Microsoft Windows cumulative update (the same window as the previously-covered CVE-2026-41089 / 41096 Patch Tuesday set); Fedora has issued separate kernel + microcode updates (advisory IDs per NCSC-NL CSAF references) and Xen has published XSA-490 for bare-metal hypervisor operators. Lenovo has published a product-security advisory covering affected ThinkPad / ThinkStation / Workstation models for BIOS / UEFI guidance. Attack class: T1068 Exploitation for Privilege Escalation, with elevated relevance in confidential-compute and multi-tenant virtualisation contexts (VDI estates, cloud-hosted VMs on Zen 2 hosts, shared university compute clusters). No in-the-wild exploitation confirmed. Detection / verification: confirm the May 2026 Windows CU includes the AMD microcode revision via the relevant KB and wmic cpu get name, dataWidth, processorId; for Linux hypervisors apply distro kernel + microcode updates and reboot; for Xen apply XSA-490; for Lenovo hardware check BIOS / UEFI update guidance per LEN-216977. The local-only attack vector limits external risk; the priority is multi-tenant and virtualisation contexts where guest-to-hypervisor or container-to-host isolation is part of the security boundary.

CVE Summary Table