CVE-2022-29900Improper Removal of Sensitive Information Before Storage or Transfer in AMD Processors

CWE-212Improper Removal of Sensitive Information Before Storage or TransferCWE-200Sensitive Information Exposure18 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
1.4%
top 19.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Linux KernelXENAMD Processors+2 more
Timeline
PublishedJul 12
Latest updateApr 11

Description

Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

Debianxen/xen< 4.14.5+24-g87d90d511c-1+3
Debianlinux/linux_kernel< 5.10.136-1+3
CVEListV5amd/amd_processorsProcessor Some AMD Processors

Also affects: Debian Linux 11.0, Fedora 35, 36

🔴Vulnerability Details

3
GHSA
GHSA-f3p5-98fc-2gxr: AMD microprocessor families 15h to 18h are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak a2022-07-13
CVEList
CVE-2022-29900: Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent condit2022-07-12
OSV
CVE-2022-29900: Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent condit2022-07-12

📋Vendor Advisories

14
Ubuntu
Linux kernel (GCP) vulnerabilities2023-04-11
Ubuntu
Linux kernel vulnerabilities2023-03-27
Ubuntu
Linux kernel (Azure) vulnerabilities2023-03-06
Ubuntu
Linux kernel (HWE) vulnerabilities2023-02-22
Ubuntu
Linux kernel (Azure) vulnerabilities2023-02-10
CVE-2022-29900 — AMD Processors vulnerability | cvebase