Exploiting Branch Predictor Race Conditions CVE-2024-45332

[Brahman]

Content source

https://comsec.ethz.ch/wp-content/files/bprc_sec25.pdf

Published: 2025-05-13
Updated: 2025-05-13

Modern branch predictors prevent Spectre v2 attacks by associating predictions with the privilege domain they should be restricted to, or by providing barriers for invalidating predictions when switching contexts. Such branch predictors receive branch resolution and privilege domain feedback asynchronously, but it is unclear whether they always consider the correct order of events. In this paper, we introduce Branch Predictor Race Conditions (BPRC), a class of vulnerabilities where asynchronous branch predictor operations violate hardware-enforced privilege and context separation mechanisms in all recent Intel CPUs. Our analysis reveals three variants, breaching the security boundaries between user and kernel, guest and hypervisor, and across indirect branch predictor barriers. Leveraging BPRC, we introduce Branch Privilege Injection (BPI), a new Spectre v2 primitive that injects arbitrary branch predictions tagged with kernel privilege from user mode. Our end-to-end BPI exploit leaks arbitrary kernel memory from up-to-date Linux systems across six generations of Intel CPUs, at 5.6 KiB/s on Intel Raptor Cove

https://comsec.ethz.ch/wp-content/files/bprc_sec25.pdf

https://www.cve.org/CVERecord?id=CVE-2024-45332