CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
17.6%
In the Zen1 microarchitecure, there is one divider in the pipeline which services uops from both threads. In the case of #DE, the latched result from the previous DIV to execute will be forwarded speculatively.
This is a covert channel that allows two threads to communicate without any system calls. In also allows userspace to obtain the result of the most recent DIV instruction executed (even speculatively) in the core, which can be from a higher privilege context.
For more information, see: * <a href=โhttps://www.amd.com/en/resources/product-security/bulletin/amd-sb-7007.htmlโ>https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7007.html</a>
An attacker might be able to infer data from a different execution context on the same CPU core.
All versions of Xen are vulnerable.
Only AMD Zen1 CPUs are believed to be vulnerable.