CVE-2026-31628

Vulnerability

The Linux kernel has addressed a vulnerability in the x86 CPU subsystem affecting AMD Zen1 processors. The hardware divider on Zen1 CPUs, under certain circumstances, leaves partial results from previous operations [1]. This residual data can be observed by another thread running on the same CPU core, leading to a side-channel information leak.

Exploitation

An attacker with local access to the system can run a malicious thread on the same CPU core as a victim thread. By carefully timing or analyzing the divider's residual state, the attacker can infer sensitive information from the victim's computations. No special privileges beyond user-level code execution are required, making this a practical concern for multi-tenant environments or cloud instances sharing physical cores.

Impact

The vulnerability allows an attacker to potentially leak sensitive data such as cryptographic keys, passwords, or other confidential information processed by other threads. The CVSS v3 base score of 5.5 (Medium) reflects the need for local access and the context-dependent nature of the leak, but the consequences could be severe in shared computing scenarios.

Mitigation

The fix, referred to as a "chicken bit," clears the divider's residual state to prevent leakage. Patches have been applied to the Linux kernel stable tree [1]. Users are advised to update their kernels to the latest patched version to mitigate this issue.