CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
35.1%
Researchers at Google have discovered Zenbleed, a hardware bug causing corruption of the vector registers.
When a VZEROUPPER instruction is discarded as part of a bad transient execution path, its effect on internal tracking are not unwound correctly. This manifests as the wrong micro-architectural state becoming architectural, and corrupting the vector registers.
Note: While this malfunction is related to speculative execution, this is not a speculative sidechannel vulnerability.
The corruption is not random. It happens to be stale values from the physical vector register file, a structure competitively shared between sibling threads. Therefore, an attacker can directly access data from the sibling thread, or from a more privileged context.
For more details, see: <a href=“https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html”>https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html</a> <a href=“https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8”>https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8</a>
With very low probability, corruption of the vector registers can occur. This data corruption causes mis-calculations in subsequent logic.
An attacker can exploit this bug to read data from different contexts on the same core. Examples of such data includes key material, cypher and plaintext from the AES-NI instructions, or the contents of REP-MOVS instructions, commonly used to implement memcpy().
Systems running all versions of Xen are affected.
This bug is specific to the AMD Zen2 microarchitecture. AMD do not believe that other microarchitectures are affected.