VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2002· Updated Jun 16, 2026

CVE-2002-1571

CVE-2002-1571

Description

The linux 2.4 kernel before 2.4.19 assumes that the fninit instruction clears all registers, which could lead to an information leak on processors that do not clear all relevant SSE registers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

48
  • Linux/Kernel48 versions
    cpe:2.3:o:linux:linux_kernel:2.4.0:*:*:*:*:*:*:*+ 47 more
    • cpe:2.3:o:linux:linux_kernel:2.4.0:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test10:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test11:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test12:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test7:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test8:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.0:test9:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.1:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.10:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.11:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.12:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.13:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.14:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.15:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.16:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.17:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.18:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.18:pre1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.18:pre2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.18:pre3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.18:pre4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.18:pre5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.18:pre6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.18:pre7:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.18:pre8:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.18:*:x86:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.19:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.19:pre1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.19:pre2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.19:pre3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.19:pre4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.19:pre5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.19:pre6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.2:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.3:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.4:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.5:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.6:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.7:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.8:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:2.4.9:*:*:*:*:*:*:*
    • (no CPE)range: < 2.4.19

Patches

Vulnerability mechanics

Root cause

"The kernel assumed fninit clears all SSE registers, but on some processors it does not, leaving residual data from previous processes in the XMM register file."

Attack vector

An unprivileged local attacker can run a program that uses SSE registers (compiled with `-march=pentiumpro -msse`). Because the kernel's `init_fpu()` only calls `fninit`, which does not clear SSE registers on affected processors, residual data from a previous process remains in the XMM registers. The attacker can then read that leftover data, leading to an information leak of sensitive kernel or process data [ref_id=1].

Affected code

The vulnerability is in `arch/i386/kernel/i387.c` in the `init_fpu()` function. The kernel assumed that the `fninit` instruction clears all SSE registers, but on Pentium III and Athlon 4 processors it does not clear the MMX or SSE register files. The proposed patch adds explicit `xorq` (MMX) and `xorps` (SSE) instructions to zero those registers after `fninit`.

What the fix does

The patch adds explicit zeroing of all MMX registers (`xorq` instructions) and all SSE registers (`xorps` instructions) inside `init_fpu()` after the `fninit` call. This ensures that no residual data from previous processes remains in the extended register files, closing the information leak. The `load_mxcsr(0x1f80)` call is also moved inside the `cpu_has_xmm` block to ensure it only runs when SSE is actually present [ref_id=1].

Preconditions

  • configThe processor must be a Pentium III or Athlon 4 (or other CPU where fninit does not clear SSE registers)
  • authThe attacker must be able to execute arbitrary user-space code on the affected system
  • configThe kernel must be version 2.4.x before 2.4.19

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.