Overview

Modern CPUs have speculative execution capabilities, which improves processor performance. Depending on the design and architecture of the CPU, speculative execution can introduce side-channel-attack vulnerabilities.

Known Vulnerabilities

PublicCVEAlias(es)CPU Vendors AffectedSpeculative TriggerImpactMitigationsReferences
Jan 3, 2018CVE-2017-5753

Spectre V1

NetSpectre
(network attack vector)

Spectre-PHT

Intel

ARM

IBM

Branch prediction bounds check bypassCross- and intra-process (including kernel) memory disclosure

OS

Compiler

Browser

https://www.kb.cert.org/vuls/id/584653

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Jan 3, 2018CVE-2017-5715

Spectre V2

Spectre-BTB

Intel

AMD

ARM

IBM

Branch target injectionCross- and intra-process (including kernel) memory disclosureMicrocode

https://www.kb.cert.org/vuls/id/584653

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

https://www.amd.com/en/corporate/security-updates

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Jan 3, 2018CVE-2017-5754

Spectre V3

Meltdown

Meltdown-US

Intel

IBM

Out-of-order executionKernel memory disclosure to userspaceOS

https://www.kb.cert.org/vuls/id/584653

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

May 21, 2018CVE-2018-3640

Spectre V3a (RSRE)

Meltdown-GP

Intel

ARM


System register readDisclosure of system register valuesMicrocode

https://www.kb.cert.org/vuls/id/180049

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

May 21, 2018CVE-2018-3639

Spectre V4 (SSB)

Spectre-STL

Intel

AMD

ARM

IBM

Memory reads before prior memory write addresses knownCross- and intra-process (including kernel) memory disclosure

Microcode

OS


https://www.kb.cert.org/vuls/id/180049

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

https://www.amd.com/en/corporate/security-updates

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Jun 13, 2018CVE-2018-3665

Lazy FP

Meltdown-NM

IntelLazy FPU state restoreLeak of FPU stateOShttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html
July 10, 2018CVE-2018-3693

Spectre1.1

Spectre-PHT

Intel

Bounds check bypass store

Speculative buffer overflow

Cross- and intra-process (including kernel) memory disclosure

OS

https://01.org/security/advisories/intel-oss-10002

https://arxiv.org/abs/1807.03757

July 10, 2018N/A

Spectre1.2

Meltdown-RW

IntelRead-only protection bypass

Overwrite read-only data and pointers

Cross- and intra-process (including kernel) memory disclosure

OS

https://01.org/security/advisories/intel-oss-10002

https://arxiv.org/abs/1807.03757

August 14, 2018CVE-2018-3615

L1 Terminal Fault: SGX

Foreshadow-SGX

Meltdown-P

IntelTransient out-of-order executionSGX enclave memory disclosure

Microcode

TCB Recovery

https://www.kb.cert.org/vuls/id/982149

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://foreshadowattack.eu/

https://foreshadowattack.eu/foreshadow.pdf

August 14, 2018CVE-2018-3620

L1 Terminal Fault: OS/SMM

Foreshadow-OS

Foreshadow-NG

Meltdown-P

Intel

IBM

Transient out-of-order executionOS or SMM memory disclosure

Microcode

OS

https://www.kb.cert.org/vuls/id/982149

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

https://foreshadowattack.eu/

https://foreshadowattack.eu/foreshadow-NG.pdf

August 14, 2018CVE-2018-3646

L1 Terminal Fault: VMM

Foreshadow-VMM

Foreshadow-NG

Meltdown-P

Intel

IBM

Transient out-of-order executionVirtual Machine Monitor (VMM) memory disclosure

Microcode

OS

https://www.kb.cert.org/vuls/id/982149

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

https://foreshadowattack.eu/

https://foreshadowattack.eu/foreshadow-NG.pdf

November 13, 2018
Spectre-PHT-CA-OP

Intel

ARM

AMD

Pattern History Table

https://arxiv.org/abs/1811.05441
November 13, 2018
Spectre-PHT-CA-IP

Intel

ARM

AMD

Pattern History Table

https://arxiv.org/abs/1811.05441
November 13, 2018
Spectre-PHT-SA-OP

Intel

ARM

AMD

Pattern History Table

https://arxiv.org/abs/1811.05441
November 13, 2018
Spectre-BTB-SA-IP

Intel

ARM

AMD

Branch Target Buffer

https://arxiv.org/abs/1811.05441
November 13, 2018
Spectre-BTB-SA-OP

Intel

Branch Target Buffer

https://arxiv.org/abs/1811.05441
November 13, 2018
Meltdown-PKIntelProtection Keys

https://arxiv.org/abs/1811.05441
November 13, 2018
Meltdown-BND

Intel

AMD

Bound instruction

https://arxiv.org/abs/1811.05441
May 14, 2019CVE-2019-11091

Zombieload

MDSUM

IntelTransient out-of-order executionCross- and intra-process (including kernel) memory disclosure

Microcode

OS/Hypervisor

https://zombieloadattack.com/zombieload.pdf

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling

https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling

https://support.google.com/faqs/answer/9330250

https://www.chromium.org/Home/chromium-security/mds

https://aws.amazon.com/security/security-bulletins/AWS-2019-004/

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013

https://xenbits.xen.org/xsa/advisory-297.html

https://support.apple.com/en-us/HT210107

https://access.redhat.com/security/vulnerabilities/mds

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS

May 14, 2019

CVE-2018-12127

CVE-2018-12130

RIDL

MLPDS

MFBDS


IntelLFB and load portCross- and intra-process (including kernel) memory disclosure

Microcode

OS/Hypervisor

https://mdsattacks.com/files/ridl.pdf

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling

https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling

https://www.bitdefender.com/files/News/CaseStudies/study/257/Bitdefender-Whitepaper-YAM-en-EN.pdf

https://support.google.com/faqs/answer/9330250

https://www.chromium.org/Home/chromium-security/mds

https://aws.amazon.com/security/security-bulletins/AWS-2019-004/

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013

https://xenbits.xen.org/xsa/advisory-297.html

https://support.apple.com/en-us/HT210107

https://access.redhat.com/security/vulnerabilities/mds

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS

May 14, 2019CVE-2018-12126

Fallout

MSBDS

IntelStore Buffer and WTF optimizationCross- and intra-process (including kernel) memory disclosure

Microcode

OS/Hypervisor

https://mdsattacks.com/files/fallout.pdf

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html

https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling

https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling

https://support.google.com/faqs/answer/9330250

https://www.chromium.org/Home/chromium-security/mds

https://aws.amazon.com/security/security-bulletins/AWS-2019-004/

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013

https://xenbits.xen.org/xsa/advisory-297.html

https://support.apple.com/en-us/HT210107

https://access.redhat.com/security/vulnerabilities/mds

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS

November 12, 2019CVE-2019-11135TAAIntelTSX Asynchronous AbortCross- and intra-process (including kernel) memory disclosureMicrocode

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html

https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort

January 27, 2020

CVE-2020-0548

VRSIntelVector Register SamplingCross- and intra-process (including kernel) memory disclosureMicrocode

https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/

https://software.intel.com/security-software-guidance/software-guidance/vector-register-sampling

https://software.intel.com/security-software-guidance/insights/processors-affected-vector-register-sampling

January 27, 2020CVE-2020-0549

CacheOut

L1DES

IntelL1D Eviction SamplingCross- and intra-process (including kernel) memory disclosureMicrocode

https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/

https://software.intel.com/security-software-guidance/software-guidance/l1d-eviction-sampling

https://software.intel.com/security-software-guidance/insights/processors-affected-l1d-eviction-sampling

March 6, 2020
L1D Collide+ProbeAMDL1D cache way predictor µTag collisionsCross- and intra-process (including kernel) memory disclosureOS/Hypervisor

https://mlq.me/download/takeaway.pdf

https://www.amd.com/en/corporate/product-security

March 6, 2020
L1D Load+ReloadAMDL1D cache way predictor for aliased addressesCross- and intra-process (including kernel) memory disclosureOS/Hypervisor

https://mlq.me/download/takeaway.pdf

https://www.amd.com/en/corporate/product-security

March 10, 2020

CVE-2020-0551

LVIIntelLoad Value InjectionSGX enclave memory disclosureTCB Recovery

https://lviattack.eu/

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00334.html

March 14, 2024

 

GhostRaceAMD, Intel, Linux, XenRace condition on a transiently executed path originating from a mis-speculated branchSpeculative Race Condition (SRC) vulnerabilityLinux Kernel patch, Xen Virutalization Patch, AMD OS and Virtlaization API changes recommended.

https://kb.cert.org/vuls/id/488902

https://xenbits.xen.org/xsa/advisory-453.html 

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html


Notes

General

The causes of these vulnerabilities are rooted in CPU hardware design choices intended to optimize performance.
https://lwn.net/Articles/755419/
https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf

Other Information

NSA guidance on speculative execution vulnerabilities includes a similar list.
https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance

Spectre V1

Spectre V1 has been demonstrated to bypass protections provided by Intel SGX. Intel has updated the SGX SDK to mitigate these vulnerabilities when SGX enclaves are rebuilt. 
https://software.intel.com/sites/default/files/managed/e1/ec/SGX_SDK_Developer_Guidance-CVE-2017-5753.pdf

Spectre V1 has been demonstrated to bypass protections provided by the System Management Range Register (SMRR) to access protected System Management Mode (SMM) memory.
https://blog.eclypsium.com/2018/05/17/system-management-mode-speculative-execution-attacks/

Spectre V1 can be exploited over network connections rather than through local code execution of remotely delivered code such as JavaScript. This remote attack is known as NetSpectre.
https://misc0110.net/web/files/netspectre.pdf

Lazy FP

Lazy FP may particularly expose AES keys:

The FPU state may contain sensitive information such as cryptographic keys. As an example, the Intel AES instruction set (AES-NI) uses FPU registers to store round keys. It is only possible to exploit when the underlying operating system or hypervisor uses lazy FPU switching.
https://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html