CVE-2022-40982Downfall: Information Exposure through Microarchitectural State after Transient Execution in Intel CPUs

CWE-1342Information Exposure through Microarchitectural State after Transient ExecutionCWE-203Observable DiscrepancyCWE-200Sensitive Information Exposure52 documents12 sources
Severity
6.5MEDIUMNVD
OSV5.5OSV4.7
EPSS
0.9%
top 25.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Linux KernelIntel MicrocodeDebian Linux+1 more
Timeline
PublishedAug 11
Latest updateOct 17

Description

Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

NVDintel/microcode< 20230808
Debianlinux/linux_kernel< 5.10.179-5+3
Ubuntulinux/linux_kernel< 5.4.0-159.176+3

Also affects: Debian Linux 10.0, 11.0, 12.0, Enterprise Linux 6.0, 7.0, 8.0, 9.0

🔴Vulnerability Details

21
OSV
linux-azure vulnerabilities2023-10-17
OSV
linux-kvm vulnerabilities2023-10-05
OSV
linux-bluefield vulnerabilities2023-09-26
OSV
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle vulnerabilities2023-09-26
OSV
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities2023-09-19

📋Vendor Advisories

26
Ubuntu
Linux kernel (Azure) vulnerabilities2023-10-17
Oracle
Oracle Oracle Communications Risk Matrix: Oracle Linux (GCC) — CVE-2022-409822023-10-15
Ubuntu
Linux kernel (KVM) vulnerabilities2023-10-05
Ubuntu
Linux kernel vulnerabilities2023-09-26
Ubuntu
Linux kernel (BlueField) vulnerabilities2023-09-26

🕵️Threat Intelligence

3
Wiz
Crying Out Cloud - August Newsletter | Wiz2023-08-30
Talos
Recapping the top stories from Black Hat and DEF CON2023-08-17
Talos
Recapping the top stories from Black Hat and DEF CON2023-08-17

💬Community

1
Bugzilla
CVE-2022-40982 hw: Intel: Gather Data Sampling (GDS) side channel vulnerability2023-07-19
CVE-2022-40982 — Downfall | cvebase