Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1422 — Vulnerability Class 1

1 vulnerabilities classified as CWE-1422. AI Chinese analysis included.

CWE-1422 represents a critical hardware-software interaction weakness where transient execution side-channel attacks expose sensitive data through incorrect or stale data forwarding. This vulnerability arises when processor prediction mechanisms, such as speculative execution, allow unauthorized access to private data that should remain isolated within the current processor context. Attackers typically exploit this by crafting specific inputs that trigger speculative operations, subsequently extracting confidential information via covert channels like cache timing variations. To mitigate this risk, developers must implement robust software mitigations that prevent speculative execution from accessing sensitive memory locations. Techniques include inserting explicit memory barriers, using compiler-level protections to restrict speculation, and ensuring that high-level language safety properties are strictly enforced. By aligning software design with hardware security features, organizations can effectively neutralize the threat of data leakage caused by transient execution flaws.

MITRE CWE Description
A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel. Software may use a variety of techniques to preserve the confidentiality of private data that is accessible within the current processor context. For example, the memory safety and type safety properties of some high-level programming languages help to prevent software written in those languages from exposing private data. As a second example, software sandboxes may co-locate multiple users' software within a single process. The processor's Instruction Set Architecture (ISA) may permit one user's software to access another user's data (because the software shares the same address space), but the sandbox prevents these accesses by using software techniques such as bounds checking. If incorrect or stale data can be forwarded (for example, from a cache) to transient operations, then the operations' microarchitectural side effects may correspond to the data. If an attacker can trigger these transient operations and observe their side effects through a covert channel, then the attacker may be able to infer the data. For example, an attacker process may induce transient execution in a victim process that causes the victim to inadvertently access and then expose its private data via a covert channel. In the software sandbox example, an attacker sandbox may induce tran…
Common Consequences (1)
ConfidentialityRead Memory
Mitigations (5)
Architecture and DesignThe hardware designer can attempt to prevent transient execution from causing observable discrepancies in specific covert channels.
Effectiveness: Limited
RequirementsProcessor designers, system software vendors, or other agents may choose to restrict the ability of unprivileged software to access to high-resolution timers that are commonly used to monitor covert channels.
Effectiveness: Defense in Depth
RequirementsProcessor designers may expose instructions or other architectural features that allow software to mitigate the effects of transient execution, but without disabling predictors. These features may also help to limit opportunities for data exposure.
Effectiveness: Moderate
RequirementsProcessor designers may expose registers (for example, control registers or model-specific registers) that allow privileged and/or user software to disable specific predictors or other hardware features that can cause confidential data to be exposed during transient execution.
Effectiveness: Limited
Build and CompilationUse software techniques (including the use of serialization instructions) that are intended to reduce the number of instructions that can be executed transiently after a processor event or misprediction.
Effectiveness: Incidental
Examples (2)
Faulting loads in a victim domain may trigger incorrect transient forwarding, which leaves secret-dependent traces in the microarchitectural state. Consider this code sequence example from [REF-1391].
void call_victim(size_t untrusted_arg) { *arg_copy = untrusted_arg; array[**trusted_ptr * 4096]; }
Bad · C
Some processors try to predict when a store will forward data to a subsequent load, even when the address of the store or the load is not yet known. For example, on Intel processors this feature is called a Fast Store Forwarding Predictor [REF-1392], and on AMD processors the feature is called Predictive Store Forwarding [REF-1393]. A misprediction can cause incorrect or stale …
void fn(int idx) { unsigned char v; idx_array[0] = 4096; v = array[idx_array[idx] * (idx)]; }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-7881 ARM CPU 安全漏洞 — Neoverse V2 7.5 -2025-01-28

Vulnerabilities classified as CWE-1422 represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.