Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1423 — Vulnerability Class 2

2 vulnerabilities classified as CWE-1423. AI Chinese analysis included.

CWE-1423 represents a critical hardware-level weakness where shared microarchitectural predictor state enables cross-boundary data leakage through transient execution side channels. Attackers typically exploit this vulnerability by crafting malicious code that influences processor prediction mechanisms, such as branch predictors, to infer sensitive information from adjacent processes or virtual machines. By observing timing variations or cache states resulting from these transient executions, adversaries can reconstruct confidential data that should remain isolated by standard software protections like memory segmentation. To mitigate this risk, developers must implement robust hardware-aware defenses, including disabling speculative execution features when unnecessary, utilizing secure enclaves with strict isolation guarantees, and applying microcode updates that address specific predictor state vulnerabilities. Furthermore, rigorous code auditing and the adoption of constant-time programming practices help minimize the attack surface, ensuring that sensitive operations do not inadvertently expose data through microarchitectural channels.

MITRE CWE Description
Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel. Many commodity processors have Instruction Set Architecture (ISA) features that protect software components from one another. These features can include memory segmentation, virtual memory, privilege rings, trusted execution environments, and virtual machines, among others. For example, virtual memory provides each process with its own address space, which prevents processes from accessing each other's private data. Many of these features can be used to form hardware-enforced security boundaries between software components. When separate software components (for example, two processes) share microarchitectural predictor state across a hardware boundary, code in one component may be able to influence microarchitectural predictor behavior in another component. If the predictor can cause transient execution, the shared predictor state may allow an attacker to influence transient execution in a victim, and in a manner that could allow the attacker to infer private data from the victim by monitoring observable discrepancies (CWE-203) in a covert channel [REF-1400]. Predictor state may be shared when the processor transitions from one component to another (for example, when a process makes a system call to e…
Common Consequences (1)
ConfidentialityRead Memory
Mitigations (5)
Architecture and DesignThe hardware designer can attempt to prevent transient execution from causing observable discrepancies in specific covert channels.
Architecture and DesignHardware designers may choose to use microarchitectural bits to tag predictor entries. For example, each predictor entry may be tagged with a kernel-mode bit which, when set, indicates that the predictor entry was created in kernel mode. The processor can use this bit to enforce that predictions in the current mode must have been trained in the current mode. This can preve…
Effectiveness: Moderate
Architecture and DesignHardware designers may choose to sanitize microarchitectural predictor state (for example, branch prediction history) when the processor transitions to a different context, for example, whenever a system call is invoked. Alternatively, the hardware may expose instruction(s) that allow software to sanitize predictor state according to the user's threat model. For example, …
Effectiveness: Moderate
ImplementationSystem software can mitigate this weakness by invoking predictor-state-sanitizing operations (for example, the indirect branch prediction barrier on Intel x86) when switching from one context to another, according to the hardware vendor's recommendations.
Effectiveness: Moderate
Build and CompilationIf the weakness is exposed by a single instruction (or a small set of instructions), then the compiler (or JIT, etc.) can be configured to prevent the affected instruction(s) from being generated. One prominent example of this mitigation is retpoline ([REF-1414]).
Effectiveness: Limited
Examples (2)
Branch Target Injection (BTI) is a vulnerability that can allow an SMT hardware thread to maliciously train the indirect branch predictor state that is shared with its sibling hardware thread. A cross-thread BTI attack requires the attacker to find a vulnerable code sequence within the victim software. For example, the authors of [REF-1415] identified the following code se…
adc edi,dword ptr [ebx+edx+13BE13BDh] adc dl,byte ptr [edi] ... indirect_branch_site: jmp dword ptr [rsi]   # at this point attacker knows edx, controls edi and ebx
Bad · x86 Assembly
BTI can also allow software in one execution context to maliciously train branch predictor entries that can be used in another context. For example, on some processors user-mode software may be able to train predictor entries that can also be used after transitioning into kernel mode, such as after invoking a system call. This vulnerability does not necessarily require SMT…
CVE IDTitleCVSSSeverityPublished
CVE-2025-23269 NVIDIA Jetson Linux 安全漏洞 — Jetson Orin and Xavier Devices 4.7 Medium2025-07-17
CVE-2024-10929 Spectre-BSE — Cortex-A72 9.8 -2025-01-22

Vulnerabilities classified as CWE-1423 represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.