Cybersecurity researchers from VUSec have found a new way to bypass existing speculative execution protection hardware in modern Intel, AMD and Arm computer processors. The new method is called Branch History Injection (BHI).
Three CPU manufacturers have published bulletins regarding detected problems that leak confidential information, despite isolation-based security measures.
The speculative execution method is designed to optimize processor performance by pre-launching some tasks (branch prediction) so that information is available if necessary.
According to experts, although hardware defenses still do not allow unprivileged attackers to implement predictors for the kernel, using global history to select targets opens up a previously unknown method of attack. An attacker with low privileges on the target system can “poison” this history in order to force the OS kernel to incorrectly predict targets that may lead to data leakage.
The researchers also published a PoC code for exploiting vulnerabilities (CVE-2022-0001 and CVE-2022-0002) demonstrating an arbitrary kernel memory leak. Intel recommended that users disable access to managed runtime environments in privileged modes.
A full list of measures to prevent exploitation of vulnerabilities can be found on a special page , and a list of all affected processor models is available here .