CWE-1423 Detail

CWE-1423

Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
Incomplete
2024-02-29
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.

General Informations

Modes Of Introduction

Architecture and Design
Implementation
System Configuration

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Operating Systems

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Name: Microcontroller Hardware (Undetermined)
Name: Processor Hardware (Undetermined)
Name: Memory Hardware (Undetermined)
Class: System on Chip (Undetermined)

Common Consequences

Scope Impact Likelihood
ConfidentialityRead MemoryMedium

Observed Examples

References Description

CVE-2017-5754

(Branch Target Injection, BTI, Spectre v2). Shared microarchitectural indirect branch predictor state may allow code to influence transient execution across a process, VM, or privilege boundary, potentially exposing data that is accessible beyond the boundary.

CVE-2022-0001

(Branch History Injection, BHI, Spectre-BHB). Shared branch history state may allow user-mode code to influence transient execution in the kernel, potentially exposing kernel data over a covert channel.

CVE-2021-33149

(RSB underflow, Retbleed). Shared return stack buffer state may allow code that executes before a prediction barrier to influence transient execution after the prediction barrier, potentially exposing data that is accessible beyond the barrier over a covert channel.

Potential Mitigations

Phases : Architecture and Design
Phases : Architecture and Design
Phases : Architecture and Design
Phases : Implementation
Phases : Build and Compilation
Phases : Build and Compilation
Phases : Build and Compilation
Phases : System Configuration
Phases : Patching and Maintenance
Phases : Documentation
Phases : Requirements

Detection Methods

Manual Analysis

Effectiveness : Moderate

Automated Analysis

Effectiveness : High

Automated Analysis

Effectiveness : Moderate

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities
Comment : Use only when the weakness allows code in one processor context to influence the predictions of code in another processor context via predictor state that is shared between the two contexts. For example, Branch Target Injection, an instance of CWE-1423, can be mitigated by tagging each indirect branch predictor entry according to the processor context in which the entry was created, thus preventing entries created in one context from being used in a different context. However, the mitigated indirect branch predictor can still expose different weaknesses where malicious predictor entries created in one context are used later in the same context (context tags cannot prevent this). One such example is Intra-mode Branch Target Injection. Weaknesses of this sort can map to CWE-1420.

References

REF-1414

Retpoline: A Branch Target Injection Mitigation
Intel Corporation.
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html

REF-1415

Spectre Attacks: Exploiting Speculative Execution
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom.
https://spectreattack.com/spectre.pdf

REF-1416

Flush+Reload: A High Resolution, Low Noise, L3 Cache Side-Channel Attack
Yuval Yarom, Katrina Falkner.
https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-yarom.pdf

REF-1398

Control Flow Integrity
The Clang Team.
https://clang.llvm.org/docs/ControlFlowIntegrity.html

REF-1389

You Cannot Always Win the Race: Analyzing the LFENCE/JMP Mitigation for Branch Target Injection
Alyssa Milburn, Ke Sun, Henrique Kawakami.
https://arxiv.org/abs/2203.04277

REF-1400

Refined Speculative Execution Terminology
Intel Corporation.
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/refined-speculative-execution-terminology.html

REF-1401

Hardware Security Leak Detection by Symbolic Simulation
Neta Bar Kama, Roope Kaivola.
https://ieeexplore.ieee.org/document/9617727

Submission

Name Organization Date Date release Version
Scott D. Constable Intel Corporation 2023-09-19 +00:00 2024-02-29 +00:00 4.14

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2025-09-09 +00:00 updated Relationships
CWE Content Team MITRE 2025-12-11 +00:00 updated Weakness_Ordinalities
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.