Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <6ff1387d-6577-455d-8a1a-0dee04907b1c@citrix.com>
Date: Tue, 13 May 2025 18:03:51 +0100
From: Andrew Cooper <andrew.cooper3@...rix.com>
To: "xen-announce@...ts.xen.org" <xen-announce@...ts.xen.org>,
 Xen-devel <xen-devel@...ts.xen.org>,
 "xen-users@...ts.xen.org" <xen-users@...ts.xen.org>,
 "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Cc: "Xen.org security team" <security-team-members@....org>
Subject: Xen Security Notice 3 (CVE-2024-45332) Intel Branch Privilege
 Injection

Researchers from ETH Zurich have discovered Branch Privilege Injection,
a bug in hardware prediction-domain isolation whereby an attacker can
cause predictions to be tagged with the wrong mode/privilege, and then
use the incorrectly-tagged predictions to mount traditional Spectre-v2
attacks.

For more details, see:
https://comsec.ethz.ch/bprc
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01247.html

Intel are releasing microcode to address as part of IPU 2025.2.  There
are no software mitigations available.

https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250512

~Andrew, on behalf of the Xen Security Team.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.