Описание
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
New Spectre-v2 attack classes have been discovered within CPU architectures that enable self-training exploitation of speculative execution within the same privilege domain. These novel techniques bypass existing hardware and software mitigations, including IBPB, eIBRS, and BHI_NO, by leveraging in-kernel gadgets (potentially accessible via SECCOMP/cBPF), Branch Target Buffer (BTB) aliasing, and direct-to-indirect branch predictor training. While the root cause lies in CPU architectural behavior, the vulnerability manifests through kernel-level speculation paths, allowing attackers to potentially leak sensitive memory.
Отчет
The "Training Solo" attack classes introduce new self-training methods to exploit Spectre-v2 from within domain isolation implementations. They can be reasonably classified as Moderate severity due to several practical and architectural limitations. First, these attacks rely heavily on the presence of specific in-kernel or in-hypervisor gadgets, such as history-crafting or disclosure gadgets, which are not universally available and vary across kernel versions and configurations. Second, the attacks generally require local code execution within the victim domain, meaning they do not expand the threat model beyond existing Spectre-v2 scenarios where attackers already have some degree of execution capability. Third, the leak rates, while measurable, remain relatively low (1.7–17 KB/s) and demand sustained access and stability to extract meaningful information. So their limited practical exploitability makes them a moderate, not critical, threat in real-world settings.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Affected | ||
| Red Hat Enterprise Linux 10 | microcode_ctl | Affected | ||
| Red Hat Enterprise Linux 6 | kernel | Fix deferred | ||
| Red Hat Enterprise Linux 6 | microcode_ctl | Fix deferred | ||
| Red Hat Enterprise Linux 7 | kernel | Affected | ||
| Red Hat Enterprise Linux 7 | microcode_ctl | Affected | ||
| Red Hat Enterprise Linux 8 | kernel | Affected | ||
| Red Hat Enterprise Linux 8 | microcode_ctl | Affected | ||
| Red Hat Enterprise Linux 9 | kernel | Affected | ||
| Red Hat Enterprise Linux 9 | microcode_ctl | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.6 Medium
CVSS3
Связанные уязвимости
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
Exposure of Sensitive Information in Shared Microarchitectural Structu ...
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
EPSS
5.6 Medium
CVSS3