CVE-2024-45332

Vulnerability

Details

CVE-2024-45332, named Branch Privilege Injection, is a novel microarchitectural vulnerability affecting Intel processors. The root cause is a race condition in the branch predictor's update mechanism. Branch predictor updates are performed asynchronously and can be delayed by tens or hundreds of cycles under certain conditions. This allows a transient execution window where predictor updates, still associated with the previous privilege level, land after a privilege switch (e.g., user to kernel or guest to hypervisor) or after an Indirect Branch Predictor Barrier (IBPB) instruction. Consequently, predictor state from a higher privilege level becomes accessible to a lower privilege level, breaking Intel's security domain isolation [2].

Attack

Vector and Exploitation

The attack requires only local access and an authenticated user context. No special privileges beyond normal user access are needed. The attacker exploits the race condition by first training the indirect branch predictor in one domain (e.g., user space) and then triggering a privilege switch. The delayed, in-flight branch predictor updates, tagged with the wrong privilege level, are then used to influence speculative execution in the higher-privilege context. This allows the attacker to mount traditional Spectre-v2 (branch target injection) attacks, despite Intel's enhanced Indirect Branch Restricted Speculation (eIBRS) and IBPB mitigations being in place [1][2]. The researchers demonstrated an end-to-end exploit leaking arbitrary memory at a rate of 5.6 KiB/s on an up-to-date Ubuntu 24.04 system with all default mitigations enabled, using an Intel Raptor Lake (13th gen) processor [2].

Impact and

Affected Processors

An authenticated attacker can leverage this vulnerability to disclose sensitive information from kernel memory, other processes, or in virtualized environments, from the hypervisor or other virtual machines. The attack bypasses Intel's eIBRS and IBPB, which were previously considered effective against Spectre-BTI. All Intel processors from the 9th generation (Coffee Lake Refresh) onward that implement eIBRS are potentially affected, as the vulnerability exploits a fundamental property of the branch predictor update mechanism [2].

Mitigation

Status

Intel has acknowledged the vulnerability and is releasing microcode updates to address it as part of its Intel Platform Update (IPU) 2025.2 [1][3]. The Xen security team also confirms that microcode updates are the primary mitigation, as no software-only workaround is sufficient [3]. Users are advised to apply the latest CPU microcode from their system vendor as soon as it becomes available. There is no evidence that the vulnerability has been exploited in the wild, and it is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.