CVE-2020-1459 — Observable Discrepancy in Microsoft Windows 10 Version 1809

CWE-203 — Observable Discrepancy CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

5.5MEDIUMNVD

EPSS

7.2%

top 8.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Windows 10 Version 1809 Microsoft Windows 10 Version 1903 FOR Arm64-based Systems Microsoft Windows 10 Version 1909 +6 more

Timeline

PublishedAug 17

Latest updateMay 24

Description

An information disclosure vulnerability exists on ARM implementations that use speculative execution in control flow via a side-channel analysis, aka "straight-line speculation." To exploit this vulnerability, an attacker with local privileges would need to run a specially crafted application. The security update addresses the vulnerability by bypassing the speculative execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages9 packages

▶CVEListV5microsoft/windows_10_version_180910.0.0 — publication

▶CVEListV5microsoft/windows_10_version_190910.0.0 — publication

▶CVEListV5microsoft/windows_10_version_200410.0.0 — publication

▶CVEListV5microsoft/windows_10_version_1903_for_arm64-based_systems10.0.0 — publication

▶NVDmicrosoft/windows_104 versions+3

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-cjp5-p4x3-x7jg: An information disclosure vulnerability exists on ARM implementations that use speculative execution in control flow via a side-channel analysis, aka↗2022-05-24

▶

📋Vendor Advisories

Microsoft

Windows ARM Information Disclosure Vulnerability↗2020-08-11

▶