Détail du CWE-1423

CWE-1423

Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
Incomplete
2024-02-29
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.

Informations générales

Modes d'introduction

Architecture and Design
Implementation
System Configuration

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Systèmes d’exploitation

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Name: Microcontroller Hardware (Undetermined)
Name: Processor Hardware (Undetermined)
Name: Memory Hardware (Undetermined)
Class: System on Chip (Undetermined)

Conséquences courantes

Portée Impact Probabilité
ConfidentialityRead MemoryMedium

Exemples observés

Références Description

CVE-2017-5754

(Branch Target Injection, BTI, Spectre v2). Shared microarchitectural indirect branch predictor state may allow code to influence transient execution across a process, VM, or privilege boundary, potentially exposing data that is accessible beyond the boundary.

CVE-2022-0001

(Branch History Injection, BHI, Spectre-BHB). Shared branch history state may allow user-mode code to influence transient execution in the kernel, potentially exposing kernel data over a covert channel.

CVE-2021-33149

(RSB underflow, Retbleed). Shared return stack buffer state may allow code that executes before a prediction barrier to influence transient execution after the prediction barrier, potentially exposing data that is accessible beyond the barrier over a covert channel.

Mesures d’atténuation potentielles

Phases : Architecture and Design
Phases : Architecture and Design
Phases : Architecture and Design
Phases : Implementation
Phases : Build and Compilation
Phases : Build and Compilation
Phases : Build and Compilation
Phases : System Configuration
Phases : Patching and Maintenance
Phases : Documentation
Phases : Requirements

Méthodes de détection

Manual Analysis

Efficacité : Moderate

Automated Analysis

Efficacité : High

Automated Analysis

Efficacité : Moderate

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities
Commentaire : Use only when the weakness allows code in one processor context to influence the predictions of code in another processor context via predictor state that is shared between the two contexts. For example, Branch Target Injection, an instance of CWE-1423, can be mitigated by tagging each indirect branch predictor entry according to the processor context in which the entry was created, thus preventing entries created in one context from being used in a different context. However, the mitigated indirect branch predictor can still expose different weaknesses where malicious predictor entries created in one context are used later in the same context (context tags cannot prevent this). One such example is Intra-mode Branch Target Injection. Weaknesses of this sort can map to CWE-1420.

Références

REF-1414

Retpoline: A Branch Target Injection Mitigation
Intel Corporation.
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html

REF-1415

Spectre Attacks: Exploiting Speculative Execution
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom.
https://spectreattack.com/spectre.pdf

REF-1416

Flush+Reload: A High Resolution, Low Noise, L3 Cache Side-Channel Attack
Yuval Yarom, Katrina Falkner.
https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-yarom.pdf

REF-1398

Control Flow Integrity
The Clang Team.
https://clang.llvm.org/docs/ControlFlowIntegrity.html

REF-1389

You Cannot Always Win the Race: Analyzing the LFENCE/JMP Mitigation for Branch Target Injection
Alyssa Milburn, Ke Sun, Henrique Kawakami.
https://arxiv.org/abs/2203.04277

REF-1400

Refined Speculative Execution Terminology
Intel Corporation.
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/refined-speculative-execution-terminology.html

REF-1401

Hardware Security Leak Detection by Symbolic Simulation
Neta Bar Kama, Roope Kaivola.
https://ieeexplore.ieee.org/document/9617727

Soumission

Nom Organisation Date Date de publication Version
Scott D. Constable Intel Corporation 2023-09-19 +00:00 2024-02-29 +00:00 4.14

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2025-09-09 +00:00 updated Relationships
CWE Content Team MITRE 2025-12-11 +00:00 updated Weakness_Ordinalities
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.