The open and extensible RISC-V instruction set architecture marks a significant advancement in the CPU industry by enabling new vendors to enter the CPU market. RISC-V is quickly gaining popularity, as demonstrated by its support in the Linux kernel and its presence in consumer devices and even cloud platforms. However, the flexibility of RISC-V has resulted in a diverse range of hardware implementations, which differ in features and security measures. Additionally, no automated approach exists currently to assess the security of these implementations. In this paper, we introduce a novel framework, RISCVuzz, that leverages this diversity of RISC-V implementations to automatically detect vulnerabilities in hardware CPUs without the need for source code or emulators. RISCVuzz uses a differential CPU fuzzing approach to compare architectural behaviors across different vendors and CPU models. We evaluate RISCVuzz using all 5 currently available consumer-grade RISC-V CPUs and identify 3 severe security vulnerabilities along with numerous bugs. Notably, RISCVuzz identifies GhostWrite, an unprivileged instruction sequence to write attacker-controlled bytes to attacker-chosen physical memory locations, including attached devices. In 3 end-to-end attacks, we demonstrate how GhostWrite can be transformed to read physical memory and lead to arbitrary machine-mode code execution, even in cloud environments. Additionally, RISCVuzz exposes 2 unprivileged "halt-and-catch-fire" instruction sequences that result in an irrecoverable CPU halt.