This post is also available in: Italian

Reading Time: 2 minutes

Now that Meltdown and Spectre vulnerabilities are almost fixed, there is a new critical vulnerability for several Intel CPU called BranchScope, discovered by some researchers from four universities.

It’s again a speculative execution issue, in the method a processor uses to predict where its current computational task. By exploiting this flaw, attackers with local access could pull data stored from memory that’s otherwise inaccessible to all applications and users.

The vulnerability is similar to Spectre Variant 2, but BranchScope targets the process that decides which branch the CPU will take next whereas Spectre Variant 2 resides in the cache component associated with branch prediction. Branch prediction units (BPUs) are used to improve the performance of pipelined processors by guessing the execution path of branch instructions. The problem is that when two processes are executed on the same physical CPU core, they share a BPU, potentially allowing a malicious process to manipulate the direction of a branch instruction executed by the targeted application.

The BranchScope attack has been demonstrated on devices with three types of Intel i5 and i7 CPUs based on Skylake, Haswell and Sandy Bridge microarchitectures. Again the latest Intel CPU generation is fully affected by this problem.

Some previous patches can partially mitigate this problem, but new patches (and probably also microcode) should be expected soon.

Note that AMD CPU has also other different types of vulnerabilities.

See also: