CVE-2023-4969
published 2024-01-16CVE-2023-4969: A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on…
PriorityP429medium6.5CVSS 3.1
AVLACLPRLUINSCCHINAN
EPSS
1.18%
63.6th percentile
A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firmware-nonfree | < firmware-nonfree 20240610-1 (forky) | firmware-nonfree 20240610-1 (forky) |
| chrome_chrome | — | — | |
| imaginationtech | ddk | <= 23.2 | — |
| khronos | opencl | <= 3.0.11 | — |
| khronos | vulkan | <= 1.3.224 | — |
| khronos_group | opencl | 3.0.11 – 3.0.11 | — |
| khronos_group | vulkan | 1.3.224 – 1.3.224 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2023-4969
vendor_chrome·2024-01-18·CVSS 6.5
CVE-2023-4969 [MEDIUM] Long Term Support Channel Update for ChromeOS: CVE-2023-4969
Long Term Support Channel Update for ChromeOS
CVE-2023-4969
Red Hat
hw: amd: GPU memory leaks
vendor_redhat·2024-01-16·CVSS 6.5
CVE-2023-4969 [MEDIUM] CWE-401 hw: amd: GPU memory leaks
hw: amd: GPU memory leaks
A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures.
A flaw was found in AMD. This issue occurs when different users or processes execute independent GPU kernels. A compromised AMD GPU kernel could potentially read local memory values from another kernel, which may include private information.
Mitigation: AMD recommends updating to the latest driver version as indicated in the advisory.
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Enterprise Linux 8) - Not affected
Packag
Debian
CVE-2023-4969: firmware-nonfree - A GPU kernel can read sensitive data from another GPU kernel (even from another ...
vendor_debian·2023·CVSS 6.5
CVE-2023-4969 [MEDIUM] CVE-2023-4969: firmware-nonfree - A GPU kernel can read sensitive data from another GPU kernel (even from another ...
A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 20240610-1)
sid: resolved (fixed in 20240610-1)
trixie: resolved (fixed in 20240610-1)
GHSA
GHSA-95ph-5wpx-w6gq: A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memo
ghsa_unreviewed·2024-01-16
CVE-2023-4969 [MEDIUM] CWE-401 GHSA-95ph-5wpx-w6gq: A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memo
A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures.
OSV
CVE-2023-4969: A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memo
osv·2024-01-16·CVSS 6.5
CVE-2023-4969 [MEDIUM] CVE-2023-4969: A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memo
A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
AMD, Apple, Qualcomm GPUs leak AI data in LeftoverLocals attacks
blogs_bleepingcomputer·2024-01-17
AMD, Apple, Qualcomm GPUs leak AI data in LeftoverLocals attacks
## AMD, Apple, Qualcomm GPUs leak AI data in LeftoverLocals attacks
## Bill Toulas
## LeftoverLocals details
The security flaw stems from the fact that some GPU frameworks do not isolate memory completely and one kernel running on the machine could read values in local memory written by another kernel.
Trail of Bits researchers Tyler Sorensen and Heidy Khlaaf, who discovered and reported the vulnerability, explain that an adversary only needs to run a GPU compute application (e.g. OpenCL, Vulkan, Metal) to read data a user left in the GPU local memory.
"Using these, the attacker can read data that the victim has left in the GPU local memory simply by writing a GPU kernel that dumps uninitialized local memory" - Trail of Bits
LeftoverLocals lets attackers launch a 'listener' - a GPU k
Trailofbits
LeftoverLocals: Listening to LLM responses through leaked GPU local memory
blogs_trailofbits·2024-01-16·CVSS 6.5
[MEDIUM] LeftoverLocals: Listening to LLM responses through leaked GPU local memory
We are disclosing LeftoverLocals: a vulnerability that allows recovery of data from GPU local memory created by another process on Apple, Qualcomm, AMD, and Imagination GPUs. LeftoverLocals impacts the security posture of GPU applications as a whole, with particular significance to LLMs and ML models run on impacted GPU platforms. By recovering local memory—an optimized GPU memory region—we were able to build a PoC where an attacker can listen into another user’s interactive LLM session (e.g., llama.cpp) across process or container boundaries, as shown below:
Your browser does not support the video tag.
Figure 1: An illustration of how LeftoverLocals can be used to implement an attack on an interactive LLM chat session. The LLM user (left) queries the LLM, while a co-resident attacker (r
Trailofbits
LeftoverLocals: Listening to LLM responses through leaked GPU local memory
blogs_trailofbits·2024-01-16·CVSS 6.5
[MEDIUM] LeftoverLocals: Listening to LLM responses through leaked GPU local memory
We are disclosing LeftoverLocals: a vulnerability that allows recovery of data from GPU local memory created by another process on Apple, Qualcomm, AMD, and Imagination GPUs. LeftoverLocals impacts the security posture of GPU applications as a whole, with particular significance to LLMs and ML models run on impacted GPU platforms . By recovering local memory—an optimized GPU memory region—we were able to build a PoC where an attacker can listen into another user’s interactive LLM session (e.g., llama.cpp) across process or container boundaries, as shown below:
Figure 1: An illustration of how LeftoverLocals can be used to implement an attack on an interactive LLM chat session. The LLM user (left) queries the LLM, while a co-resident attacker (right) can listen to the LLM response.
Leftov
arXiv
LeftoverLocals: Listening to LLM Responses Through Leaked GPU Local Memory
arxiv_fulltext·2024-01-29·CVSS 6.5
[MEDIUM] LeftoverLocals: Listening to LLM Responses Through Leaked GPU Local Memory
LeftoverLocals: Listening to LLM Responses Through Leaked GPU Local Memory
Tyler Sorensen
Trail of Bits\ of California, Santa Cruz
Santa Cruz
California
USA
Heidy Khlaaf
Trail of Bits
New York City
New York
USA
## Abstract
This paper describes LeftoverLocals: a vulnerability that allows data recovery from GPU memory created by another process on Apple, Qualcomm, and AMD GPUs. LeftoverLocals impacts the security posture of GPU applications, with particular significance to LLMs and ML models that run on impacted GPUs. By recovering local memory – an optimized GPU memory region – we built a PoC where an attacker can listen into another user’s interactive LLM session (e.g., llama.cpp) across process or container boundaries.
none
## Introduction
This paper is essentially a direct port
Bugzilla
CVE-2023-4969 hw: amd: GPU memory leaks
bugzilla·2023-12-04·CVSS 6.5
CVE-2023-4969 [MEDIUM] CVE-2023-4969 hw: amd: GPU memory leaks
CVE-2023-4969 hw: amd: GPU memory leaks
When different users or processes execute independent GPU kernels, a compromised GPU kernel could potentially read local memory values from another kernel, which may include private information.
Refer:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6010.html
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2259523]
---
According to the AMD advisory, Host driver release targeted for July 2024. Contact your AMD Customer Engineering representative.
https://blog.trailofbits.comhttps://kb.cert.org/vuls/id/446598https://registry.khronos.org/OpenCL/specs/3.0-unified/html/OpenCL_API.html#_fundamental_memory_regionshttps://registry.khronos.org/vulkan/specs/1.3-extensions/html/index.htmlhttps://www.kb.cert.org/vuls/id/446598https://blog.trailofbits.comhttps://kb.cert.org/vuls/id/446598https://registry.khronos.org/OpenCL/specs/3.0-unified/html/OpenCL_API.html#_fundamental_memory_regionshttps://registry.khronos.org/vulkan/specs/1.3-extensions/html/index.htmlhttps://www.kb.cert.org/vuls/id/446598
2024-01-16
Published