Fact-checked by Grok 2 weeks ago

Retbleed

Retbleed is a side-channel affecting modern processors from and , enabling attackers to execute arbitrary speculative code via return instructions and leak sensitive data, such as addresses, through target injection. Disclosed on July 12, 2022, with presentation at the in August 2022, it builds on variant 2 (CVE-2017-5715) by exploiting microarchitectural flaws in return prediction mechanisms, including Intel's Return Stack Buffer (RSB) underflow and AMD's return poisoning. The is tracked under CVE-2022-29900 for processors and CVE-2022-29901 for processors, both rated as medium severity with potential for information disclosure in local attack scenarios. Retbleed impacts a broad array of , including Intel's Skylake-generation processors ( 6th to 8th generations) without enhanced Indirect Branch Restricted Speculation (), as well as newer models like and under certain conditions without updates. On the AMD side, it affects Zen 1 and (including Zen+) architectures across desktop, mobile, and server lines, such as 2000/3000/4000 series, 1st/2nd generations, and Threadripper processors. Verified attacks have demonstrated leakage rates of 219 bytes per second on Intel and 3.9 kB/s on AMD , undermining prior defenses like retpoline by forcing return instructions (RET) to be mispredicted as using the branch target buffer. While primarily tested on x86, similar branch type confusion risks extend to some implementations, though mitigations vary by vendor. As of , real-world exploits have been demonstrated, achieving leakage rates up to 13 KB/s on vulnerable systems. Mitigations for Retbleed involve a combination of updates and software techniques, such as RSB stuffing on platforms to prevent underflow and enhanced retpoline variants on to isolate return predictions. Operating systems like implemented kernel patches in version 5.18, including options like "retbleed=stuff" or "retbleed=auto" for automatic detection and mitigation, while and Apple issued updates for Windows and macOS ecosystems. These fixes introduce performance overheads ranging from 14% to 39% on affected CPUs, with higher costs (up to 209%) for legacy retpoline users, prompting ongoing research into more efficient protections like hardware-isolated return stacks.

Background

Speculative Execution Fundamentals

is a performance optimization technique employed by modern central processing units (CPUs) to anticipate and execute s before their outcomes are definitively known, thereby reducing stalls caused by hazards such as conditional es. In this process, the CPU fetches, decodes, and executes instructions along a predicted , assuming the branch prediction is correct; if the prediction proves wrong, the speculatively executed instructions are discarded, and the is redirected. This approach overlaps execution with branch resolution, enabling higher throughput and improved overall efficiency. Central to are mechanisms like , which allows instructions to be issued and completed in a non-sequential order based on data dependencies rather than program order, further minimizing delays. The branch target buffer (BTB) serves as a cache that stores the target addresses of previously encountered branches, indexed by the branch instruction's to enable rapid prediction of jump destinations. Complementing this, the return stack buffer (RSB) is a specialized last-in, first-out (LIFO) structure that predicts return addresses for procedure calls by pushing the address following a call instruction and popping it upon encountering a , typically holding 8 to 32 entries in architectures. In ARM architectures, the return stack operates similarly as a small circular or FIFO buffer, often with 3 to 8 entries, to handle subroutine returns during . The foundational implementation of advanced in processors emerged with the Pentium 4 in 2000, utilizing the to support deep pipelines and aggressive speculation for clock speeds exceeding 1 GHz, marking a shift toward exploiting for significant performance gains. This evolution continued in subsequent x86 and designs, where enhancements to branch predictors and buffers reduced misprediction penalties from over 20 cycles in early systems to under 10 in modern cores. A inherent risk of speculative execution lies in transient execution, where instructions along a mispredicted path are temporarily processed, leaving persistent microarchitectural side effects—such as alterations to states or entries—that persist after the is aborted. These side effects can be observed and exploited through timing measurements, potentially leaking sensitive information, as demonstrated in early vulnerabilities like and Meltdown.

Related CPU Vulnerabilities

Retbleed represents a later evolution in the class of vulnerabilities, building on earlier attacks that exploited processor prediction mechanisms. One foundational example is Variant 1 (CVE-2017-5753), which targets conditional branch misprediction to bypass bounds checks and access out-of-bounds memory. In this attack, an adversary poisons the Branch Target Buffer (BTB)—a hardware structure that caches recent branch targets—to inject a speculative path leading to a malicious that leaks sensitive through side channels. Spectre Variant 2 (CVE-2017-5715) extends this threat to indirect branches, allowing attackers to manipulate speculative in kernel or cross-process contexts. By poisoning the BTB or similar predictors, the attack redirects indirect jumps or calls to unintended code, evading isolation boundaries and enabling ; early mitigations like retpoline were developed to insert indirect branches with safe barriers, though they introduced performance overhead. Distinct from Spectre's branch-focused exploits, Meltdown (CVE-2017-5754) leverages speculative loads to read kernel memory from user space, exploiting the delayed enforcement of page-table protections during . This allows unauthorized access to privileged data, such as passwords or encryption keys, by speculatively loading and caching the contents before a fault aborts the execution. These vulnerabilities were publicly disclosed in early 2018, following coordinated research by Google Project Zero and other teams, which revealed their potential to undermine core CPU security assumptions across , , and architectures. The revelations prompted industry-wide updates, OS patches, and hardware redesigns to curb speculation, marking a pivotal shift in processor security engineering. Common to all these attacks are side-channel techniques that infer leaked via timing differences in access patterns, enabling the extraction of or inter-process secrets at rates sufficient for practical , such as recovering cryptographic byte-by-byte. Retbleed, disclosed in 2022, emerged as an extension of this lineage by targeting return instruction predictions, further highlighting the persistent challenges in securing .

Technical Description

Core Exploitation Mechanism

Retbleed exploits the speculative execution of return instructions (RET) in modern CPUs by manipulating the Return Stack Buffer (RSB), a dedicated predictor for return targets, to redirect toward attacker-controlled code paths. Unlike typical predictions, the RSB is populated during call-return sequences, but attackers can poison it through unbalanced call stacks or interference, causing the CPU to speculatively fetch and execute unintended instructions as if they were legitimate returns. This misuse allows unprivileged code to inject targets into the predictor structures, enabling cross-privilege boundary that persists even after architectural faults like page faults are resolved. The attack proceeds in several key steps. First, the attacker identifies vulnerable return instructions in kernel code using tools like dynamic tracing (e.g., or ) to locate points where RET can be hijacked, such as deep call stacks on processors that trigger RSB underflow, effectively treating the return as an . Next, the attacker trains the —specifically the Branch Target Buffer (BTB)—with gadget chains, sequences of short instructions that load secret data into registers and perform memory accesses timed to side-channel observables. A speculative RET misprediction is then forced by executing a or similar trigger, causing the CPU to speculatively follow the poisoned predictor entry and execute the gadget chain, even across privilege boundaries. Finally, the effects of this speculation are observed through side channels to recover leaked data. Data leakage occurs via transient side-channel effects from the , such as state changes or execution port contention, which persist briefly after the is squashed. Attackers commonly use the FLUSH+RELOAD technique on pages to detect whether speculative loads accessed secret data, with proof-of-concept implementations achieving leakage rates of up to 219 bytes per second (approximately 1,752 bits per second) on Coffee Lake processors with 98% accuracy, and 3.9 kB per second on Zen 2 with over 99% accuracy. These rates reflect aggregated probes, where each window typically leaks 1-2 bits of information in basic setups, limited by predictor hit rates and noise in side-channel measurements, though no full probabilistic model is derived in the original analysis. In contrast to Variant 2, which poisons indirect branch predictors to leak data, Retbleed specifically targets return instructions and the RSB-BTB interaction, allowing it to bypass retpoline mitigations that replace es with direct jumps or serializing instructions. This focus on returns exploits a distinct prediction pathway, enabling even in environments hardened against attacks, as the RSB is not fully isolated by standard indirect branch restricted (IBRS) protections.

Return Instruction Prediction Flaw

The Return Stack Buffer (RSB), also known as the Return Address Stack (RAS), is a specialized microarchitectural structure in modern CPUs designed to predict the target es of return instructions (RET) following function calls. It operates as a last-in, first-out (LIFO) that pushes the return address onto the buffer during a CALL instruction and pops it to predict the RET target, enabling efficient without relying on slower predictors. However, the RSB has a fixed, limited capacity—typically 8 to 32 entries depending on the processor generation—which makes it vulnerable to underflow in scenarios involving deep call stacks or mismatched CALL/RET pairs. Under such conditions, the RSB empties, forcing the CPU's to fall back to alternative mechanisms, thereby exposing the return prediction process to . A critical weakness arises from the fusion or interaction between the RSB and the Branch Target Buffer (BTB), the primary predictor for indirect branches. In Intel processors, such as those in the Skylake generation, RSB underflow causes the return prediction to revert to BTB entries, blending the dedicated return prediction logic with the more general-purpose BTB that can be poisoned by prior indirect branches. This fallback effectively treats vulnerable RET instructions as indirect jumps, similar to the mechanism exploited in Spectre variant 1, allowing attackers to inject speculative targets across privilege boundaries. On AMD processors, like those in the Zen 2 architecture, the BTB takes precedence over the RSB for all return predictions, regardless of underflow, creating a consistent vulnerability where return targets can be hijacked using precise branch history manipulation without needing stack depth exploitation. These interactions highlight how the microarchitectural design prioritizes prediction accuracy and speed over isolation, enabling speculative code execution that bypasses existing mitigations like retpolines. To illustrate the flaw, consider a hypothetical CPU : In the fetch and decode stages, a RET instruction is identified and the RSB is consulted for the predicted target; if the RSB is full, proceeds along the legitimate path. However, post-decode and during the execute stage, an underflow triggers a BTB lookup, where a poisoned entry can redirect to an attacker-controlled address, initiating transient execution before misprediction resolution. This sequence underscores the timing of after RET decode, where the lack of robust in predictor fallbacks allows leakage of sensitive data through side channels. Similar flaws manifest in ARM processors, where return-equivalent instructions such as POP {PC}—which load a into the —are predicted using the same mechanisms as indirect branches. This design choice exposes these instructions to speculative hijacking under microarchitectural conditions akin to variant 2, particularly in CPUs without enhanced speculation barriers like FEAT_CSV2, allowing unprivileged code to influence privileged returns and leak .

Affected Hardware

Intel Processors

Retbleed affects a wide range of processors due to vulnerabilities in their return stack buffer (RSB) prediction mechanisms, which enable of incorrect return targets under certain conditions. The vulnerability primarily impacts 's x86-64 microarchitectures from Skylake onward, where deep call stacks can cause RSB underflow, allowing attackers to manipulate branch predictions for information disclosure. Affected processor families primarily span from the Skylake generation (introduced in 2015) to (10th generation, 2020) for consumer lines, encompassing 6th to 10th generation processors (such as Core i3, i5, and i7 models), , and variants, as well as Scalable processors from the 1st to 3rd generations (covering Skylake-SP, , Cooper Lake, and Ice Lake-SP). These chips lack full hardware protections against RSB underflow and related branch target injections, making them susceptible to Retbleed exploits that bypass existing Spectre-v2 mitigations like retpoline. For instance, Skylake-based E3 and server models (model 06_5EH) demonstrate exploitable RSB behaviors in testing. The core vulnerability for is documented under CVE-2022-29901, which describes arbitrary memory disclosure via side-channel attacks exploiting RSB underflow on generations 6 through 10. Additional aspects of the attack, such as branch injection via returns, align with CVE-2022-29900 in broader Retbleed disclosures, impacting systems up to 2022 levels without updates. Older Core i3/i5/i7 processors from the Skylake to eras (6th to 10th gen) and server chips like those in and W series are particularly vulnerable without enhanced indirect branch restricted speculation (eIBRS) or RSB stuffing implementations. Hardware and features to mitigate related return prediction issues, such as restricted RSB alternate (RRSBA) disabling, were introduced in (12th generation, 2021) and (13th generation, 2022) onward (models like 06_97H and 06_B7H), which address predictor flaws when combined with software updates; however, full protection requires ongoing patches. As of 2025, lingering risks persist in unpatched systems, such as Skylake-SP-based in 1st-generation Scalable deployments, where outdated leaves RSB protections incomplete and exposes sensitive data in virtualized or multi-tenant environments.

AMD Processors

Retbleed affects processors based on the Zen 1, Zen+, and microarchitectures, introduced in consumer series starting with the 1000 (2017), 2000 (2018), and 3000 (2019) processors, respectively, as well as corresponding and variants. These architectures suffer from a misprediction vulnerability tracked as CVE-2022-29900, where the incorrectly handles instructions, enabling arbitrary speculative code execution and potential leakage of sensitive data across privilege boundaries. In 's Zen 1 and designs, the branch target buffer (BTB) takes precedence over the return stack buffer (RSB) for predictions, allowing attackers to hijack returns without needing RSB underflow, a flaw that facilitates more reliable exploitation compared to some other implementations. Server-oriented EPYC processors from the first generation (codename , based on Zen 1) through the second generation (codename , based on ) are also vulnerable, exposing environments to risks such as disclosure via . The shared nature of the BTB across and privilege domains in these generations enhances the effectiveness of predictor attacks, where malicious code can influence predictions to leak information at rates exceeding 10 kB/s with high accuracy on tested EPYC hardware. Later generations, including ( 5000 series, 2020) and ( 7000 series, 2022), incorporate architectural changes that prevent cross-privilege return , rendering them unaffected by the core Retbleed mechanism. The third-generation processors (codename , ) and subsequent architectures up to (introduced in 2024 with 9000 series) feature hardware-level mitigations that eliminate the return misprediction flaw, though older vulnerable systems continue to require ongoing support for legacy deployments. This vulnerability shares fundamental principles with those impacting processors, but manifests distinctly in AMD's predictor design.

Discovery and Disclosure

Research Origins

Retbleed was identified by researchers Johannes Wikner and Kaveh Razavi from the Computer Security Group at in 2022. This work built upon earlier investigations, demonstrating vulnerabilities in modern processors. The initial findings emerged from audits conducted between 2021 and 2022, focusing on the effectiveness of retpoline mitigations against branch target injection attacks. The team reverse-engineered branch prediction behaviors, uncovering flaws in how return instructions were handled, which allowed speculative hijacking despite retpoline protections designed to serialize indirect branches. This analysis showed that returns could be mispredicted and exploited in a manner akin to vulnerable branches, bypassing existing defenses on affected hardware. To illustrate the vulnerability's practicality, the researchers published proof-of-concept exploit code that achieved leakage of pointers via in browsers, confirming arbitrary speculative code execution in kernel context on fully patched systems. Leakage rates, such as 219 bytes per second on processors with 98% accuracy, underscored the attack's feasibility for extracting sensitive data. The discovery involved collaborative validation with security teams from , , and , with initial disclosures made in February 2022 to enable coordinated development. This partnership contributed to software and firmware updates addressing the issue across affected platforms.

CVE Assignment and Public Reveal

The Retbleed vulnerability was first privately disclosed to affected vendors, including and , in February 2022 by researchers from ETH Zurich's Systems Security Group, allowing time for initial analysis and preparation of responses. This coordinated effort followed standard responsible disclosure practices, with the research team informing of their planned public announcement in June 2022 to align mitigation releases. The vulnerabilities received formal CVE assignments as CVE-2022-29900 for processors and CVE-2022-29901 for processors. In parallel, issued a security advisory acknowledging Retbleed's potential impact on their processors, recommending software mitigations without assigning a dedicated CVE, as the issue stemmed from similar return prediction flaws. Public disclosure occurred on July 12, 2022, and the findings were presented at the Security Symposium (August 10–12, 2022), including proof-of-concept exploits demonstrating information leakage from kernel memory. The disclosure was synchronized with vendor security bulletins from , , and , providing detailed guidance on affected hardware and initial software workarounds, though full hardware fixes required subsequent updates. Initial media coverage emerged immediately following the , with reports emphasizing the broad risks to environments, desktops, and servers due to Retbleed's ability to bypass existing v2 mitigations like retpoline. Analyses highlighted the vulnerability's real-world implications, such as potential extraction of sensitive data like root password hashes in under 30 minutes on vulnerable systems.

Mitigations

Software-Based Solutions

Software-based solutions for mitigating Retbleed primarily involve enhancements to retpoline, a technique originally developed to counter Spectre Variant 2 (Branch Target Injection) by replacing indirect branches with a sequence of instructions that prevent speculative misprediction. Retbleed exploits the return instruction predictor within retpoline implementations, allowing attackers to speculate to unintended targets when the Return Stack Buffer (RSB) underflows. To address this, retpoline has been updated with RSB stuffing, which fills the RSB with known safe return addresses during context switches or deep call stacks, preventing underflow and blocking speculative leakage across security boundaries. This approach, known as Call Depth Tracking RSB stuffing, was integrated into the Linux kernel in version 5.18 (2022), with ongoing refinements in subsequent releases to protect against Retbleed's RSB-underflow variants. Compiler-level protections build on retpoline by generating code that incorporates RSB safeguards. In and , the -mretpoline flag instructs the compiler to emit retpoline sequences for indirect branches and calls, including mechanisms to stuff the RSB and avoid predictor poisoning. This flag, combined with kernel-side RSB filling, ensures that user-space and kernel code resist Retbleed exploitation by maintaining a protected RSB state, particularly effective on affected and processors where hardware flaws allow return misprediction. Operating system vendors have deployed Retbleed mitigations through kernel and security updates. The enables these protections by default in versions 5.18 and later via the retbleed=stuff parameter or automatic detection, applying RSB stuffing on vulnerable CPUs. incorporated Retbleed defenses into and 11 through cumulative updates released in July 2022 and onward, leveraging enhanced retpoline and Hyper-V's HyperClear technology for isolation without requiring separate patches. Apple has implemented broader mitigations in macOS updates since 2022, including for Intel-based systems. In virtualized environments, software mitigations extend to guest isolation via RSB filling on VM exits and entries. The KVM , used with , implements RSB stuffing during context switches between host and guests, preventing cross-VM data leaks from Retbleed speculation; this is automatically enabled on supported kernels for affected hardware.

Hardware and Firmware Updates

To address Retbleed on processors, updates enhancing Return Stack Buffer (RSB) isolation were deployed for Skylake-generation and later CPUs, building on existing v2 mitigations to prevent speculative underflow attacks. These updates, released in 2022, include revisions such as those enabling enhanced Indirect Branch Restricted Speculation (eIBRS) and RSB Alternate Predictor Disable (RRSBA) features on supported hardware. For processors, updates released in mid-2022 incorporated patches for Zen 1 through architectures, tweaking Branch Target Buffer (BTB) and RSB predictors to mitigate speculative mispredictions central to Retbleed. These changes primarily target indirect jumps and return stack overflows, with the patches automatically setting bits on affected systems. Deployment of these mitigations requires BIOS or UEFI firmware updates from motherboard vendors, as microcode patches are loaded during boot; post-2022 Intel chips, such as the 13th-generation Core series (Raptor Lake), include partial silicon-level protections like RRSBA enumeration, reducing reliance on software interventions. Software-based complements, such as RSB stuffing, may still be necessary alongside these hardware changes for full protection. As of 2025, related vulnerabilities like Speculative Return Stack Overflow (SRSO) have led to additional firmware updates, but Retbleed mitigations remain focused on 2022-era patches.

Impact and Developments

Performance and Security Trade-offs

The mitigations for Retbleed, particularly those involving return stack buffer (RSB) stuffing and prediction adjustments, introduce notable performance overheads on affected hardware. According to the original research from , full software mitigations result in an average performance degradation of 14% on Zen architectures and up to 39% on processors when evaluated using Unixbench workloads on kernels. These overheads stem primarily from the need to insert speculative barriers and stuff the RSB to prevent underflow attacks, which disrupts normal branch prediction and increases cache pressure. In practice, the jmp2ret mitigation for systems incurs a more modest 5-6% overhead in general workloads, though this rises significantly when combined with disabling () for enhanced security, leading to up to 38% losses in single-threaded scenarios. In virtualized environments, such as cloud deployments running guests on , the performance impact can be amplified due to frequent context switches and shared hardware resources. Benchmarks conducted by VMware's performance team on Skylake-based servers showed compute-intensive tasks suffering up to a 70% with Retbleed mitigations enabled in 5.19, alongside 30% drops in networking throughput and 13% in storage I/O. This heightened penalty arises from the mitigation's interaction with scheduling, exacerbating speculation window closures and RSB refill operations during VM transitions. Despite these costs, partial mitigations—such as selective application of indirect branch restricted (IBRS)—offer a compromise, reducing overhead to around 20-30% while still leaving some residual risks, particularly in multi-tenant setups. From a perspective, these performance trade-offs yield substantial benefits by narrowing windows, effectively blocking Retbleed's ability to leak kernel memory across privilege boundaries or virtual machines. The analysis demonstrates that RSB stuffing and related techniques prevent arbitrary speculative code execution via return instructions, mitigating cross-VM information disclosure in cloud environments where unpatched systems could enable rapid key extraction attacks at rates exceeding 200 bytes per second on vulnerable hardware. Full mitigations, including mandatory SMT disablement on certain AMD Zen 1 systems, eliminate these vectors entirely but at the expense of multi-threaded throughput, potentially halving effective core utilization in parallel workloads. Administrators must weigh these factors, often opting for runtime toggling of mitigations in low-risk scenarios to balance postures with operational efficiency.

Recent Variants and Ongoing Research

In August 2025, researchers unveiled "Retbleed Reloaded," a novel exploitation technique targeting the Retbleed vulnerability's unpatched Return Stack Buffer (RSB) in hybrid and systems, enabling attackers to perform arbitrary memory reads across processes. This variant leverages on return instructions to bypass existing protections, allowing access to sensitive host physical memory without requiring . Unlike the original 2022 disclosure, it has not yet received a dedicated CVE , underscoring persistent gaps in multi-vendor environments. Academic from 2023 to 2025 has advanced understanding of cross-architecture information leaks inspired by Retbleed, emphasizing 's role in bridging processor boundaries. Ongoing initiatives include CISA advisories on known exploited vulnerabilities related to flaws. Future risks center on evolving mitigations for accelerators, where similar speculation mechanisms enable high-resolution side-channel attacks; for example, the 2025 GateBleed technique exploits in on-core accelerators to infer parameters at rates exceeding 90% accuracy. These developments highlight the need for hardware redesigns in speculative components to counter persistent threats in accelerated computing.

References

  1. [1]
    None
    ### Summary of Retbleed Paper (https://comsec.ethz.ch/wp-content/files/retbleed_sec22.pdf)
  2. [2]
    Retbleed: Arbitrary Speculative Code Execution with Return ...
    Retbleed (CVE-2022-29900 and CVE-2022-29901) is the new addition to the family of speculative execution attacks that exploit branch target injection to leak ...
  3. [3]
    https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037
  4. [4]
    Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 /...
    ### Summary of Retbleed Vulnerability
  5. [5]
    Hardware Features and Behaviors Related to Speculative Execution
    Sep 13, 2024 · Modern processors use speculative execution to provide higher performance, more efficient resource utilization, and better user experiences. The ...
  6. [6]
    [PDF] Speculative Execution - Wei Wang
    “Speculative execution is an optimization technique where a computer system performs some task that may not be needed or should not be executed.” ○ Branch ...
  7. [7]
    [PDF] Spectre Returns! Speculation Attacks using the Return Stack Buffer
    The RSB is a hardware stack buffer where the processor pushes the return addresses every time a call instruction is executed and uses that as a return target ...
  8. [8]
    [PDF] Dynamic Branch Prediction (Continued) Branch Target Buffer
    Branch prediction buffers contain prediction about whether the next branch will be taken (T) or not. (NT), but it does not supply the target PC value. A. Branch ...
  9. [9]
    [PDF] Branch Target Buffer Design and Optimization
    Dec 23, 1989 · A Branch Target Buffer (BTB) reduces branch performance penalties by predicting the branch path and caching information, such as branch tags ...
  10. [10]
    Return stack - Arm Developer
    The return stack is a three-entry circular buffer used for the prediction of procedure calls and procedure returns. Only unconditional procedure returns are ...Missing: RSB mechanics x86- 64
  11. [11]
    [PDF] NetBurst™ Micro-Architecture of the Intel Pentium
    The Pentium 4 processor employs the following techniques to speed up the execution of memory operations: ▫ speculative execution of loads. ▫ reordering of ...
  12. [12]
    [PDF] Reverse Engineering of Intel's Branch Prediction
    Speculative execution is a key feature in modern processors that leverages multiple mi- croarchitectural elements to optimize runtime performance. This is ...
  13. [13]
    [PDF] A Systematic Evaluation of Transient Execution Attacks and Defenses
    Aug 14, 2019 · These attacks exploit transient execution to encode secrets through microarchitectural side effects (e.g., cache state) that can later be ...
  14. [14]
    [PDF] Exploiting Speculative Execution - Spectre Attacks
    Since speculative execution leaves measurable side effects, this is an extremely powerful means for attackers, for example exposing victim memory even in ...
  15. [15]
    Branch Target Injection / CVE-2017-5715 / INTEL-SA-00088
    Jan 3, 2018 · Retpoline is known to be an effective branch target injection mitigation on Intel processors belonging to family 6 (enumerated by the CPUID ...
  16. [16]
    Meltdown and Spectre
    CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE. Can I see Meltdown in ...Missing: loads | Show results with:loads
  17. [17]
    Reading privileged memory with a side-channel - Google Project Zero
    Jan 3, 2018 · We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution.Missing: timeline | Show results with:timeline
  18. [18]
    Arm CPU Security Bulletin: Spectre/Meltdown
    Jul 23, 2025 · Variant 3: using speculative memory reads of inaccessible data (CVE-2017-5754) ... loads despite the presence of a dependency (CVE-2018-3639).
  19. [19]
    comsec-group/retbleed: Arbitrary Speculative Code ... - GitHub
    We evaluate the following: Leakage rate with ideal gadgets. Leakage rate with our discovered gadgets; Leaking /etc/shadow. Optimal leakage rate.Missing: bits probe
  20. [20]
    Arm CPU Security Update: Retpoline Return Instructions
    Mar 14, 2025 · CPUs that are vulnerable to Spectre variant 2 using indirect branches could also be vulnerable to RETBLEED using return instructions. Arm ...
  21. [21]
    Affected Processors: Transient Execution Attacks & Related Security...
    Review the impact of transient execution attacks and select security issues on currently supported Intel products.
  22. [22]
    https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
  23. [23]
    Retbleed security vulnerability affecting Skylake processors used in ...
    This vulnerability affects Intel Skylake-SP "1st Generation Intel Xeon Scalable Processor" used in some Teradata platforms.
  24. [24]
    AMD CPU Branch Type Confusion
    ### Summary: Retbleed for AMD
  25. [25]
    Following Retbleed, The Combined CPU Security Mitigation Impact ...
    Sep 6, 2022 · As a reminder, Retbleed on the AMD side affects only Zen 2 CPUs and older -- not current generation Zen 3 or the upcoming Zen 4 processors.
  26. [26]
    [PDF] Arbitrary Speculative Code Execution with Return Instructions
    Aug 12, 2022 · Retbleed is a Spectre-BTI attack that leaks kernel memory by exploiting return instructions to gain arbitrary kernel-level speculative code ...
  27. [27]
    [PDF] RETBLEED: Arbitrary Speculative Code Execution with Return ...
    Jul 12, 2022 · Modern CPUs rely on speculative execution of code to improve the overall performance by reducing stalling. The BPU, located early in the ...Missing: explanation | Show results with:explanation
  28. [28]
    Return Address Security Bulletin - AMD
    “Zen 3” and “Zen 4” based systems will require the µcode patch, which is incorporated in the BIOS update, prior to enabling OS configuration options. Datacenter.Missing: 5 | Show results with:5
  29. [29]
    New working speculative execution attack sends Intel and AMD ...
    Jul 12, 2022 · Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures and AMD Zen 1, Zen 1+, and Zen 2 ...
  30. [30]
    AMD, Intel chips vulnerable to 'Retbleed' Spectre variant
    Jul 12, 2022 · Older AMD and Intel chips are vulnerable to yet another Spectre-based speculative-execution attack that exposes secrets within kernel memory despite defenses ...
  31. [31]
    Retpoline: A Branch Target Injection Mitigation - Intel
    Aug 22, 2022 · The indirect branch predictor uses information about previously-executed branches to predict the destinations of future indirect branches.
  32. [32]
    Stuffing the return stack buffer - LWN.net
    Jul 22, 2022 · In recent Intel processors, there is a special hidden data structure called the "return stack buffer" (RSB) that caches return addresses for speculation.
  33. [33]
    RSB-related mitigations - The Linux Kernel documentation
    If a RET is executed when the RSB buffer is empty due to mismatched CALLs/RETs or returning from a deep call stack, the branch predictor can fall back to using ...
  34. [34]
    Microsoft Touts HyperClear Protection Against RETbleed and Other ...
    2022年7月21日 · Microsoft announced on Tuesday that its HyperClear technology used with its Hyper-V hypervisor offers protections against new speculative ...
  35. [35]
    https://docs.kernel.org/admin-guide/hw-vuln/rsb.html
  36. [36]
    Benchmarking The Linux Mitigated Performance For Retbleed
    Jul 13, 2022 · In the Retbleed whitepaper by ETH Zurich COMSEC researchers, they characterized the mitigations as result in 14~39% overhead.Missing: IPC loss
  37. [37]
    Retbleed Vulnerability Exploited to Access Any Process's Memory ...
    Aug 8, 2025 · Security researchers have successfully demonstrated a sophisticated exploit of the Retbleed vulnerability, a critical CPU security flaw.Missing: core | Show results with:core
  38. [38]
    ESXi VM Performance Tanks Up To 70% Due To Intel Retbleed ...
    Sep 9, 2022 · VMware's performance engineering team today announced a performance regression in Linux 5.19 affecting compute performance up to -70%, ...
  39. [39]
    VMware: 70% drop in Linux ESXi VM performance with Retbleed fixes
    Sep 12, 2022 · VMware is warning that ESXi VMs running on Linux kernel 5.19 can have up to a 70% performance drop when Retbleed mitigations are enabled compared to the Linux ...Missing: enhancements | Show results with:enhancements
  40. [40]
    The 'Retbleed' speculative execution vulnerabilities - LWN.net
    Jul 12, 2022 · Our performance evaluation shows that mitigating Retbleed has unfortunately turned out to be expensive: we have measured between 14% and 39% ...
  41. [41]
    Retbleed Vulnerability Allows Arbitrary Memory Access on Modern ...
    Aug 8, 2025 · The vulnerability exploits speculative execution in CPU return instructions, allowing attackers to read all data in host physical memory.
  42. [42]
    Blog: Exploiting Retbleed in the real world - Live Threat Intelligence
    Aug 7, 2025 · It was initially disclosed in 2022 and allows attackers to leak sensitive information by exploiting the way CPUs predict return addresses during ...
  43. [43]
    [PDF] Exploiting Inaccurate Branch History in Side-Channel Attacks
    This paper examines history-based branch prediction and assesses potentially vulnerable behaviors inad- vertently implemented in processors. Through extensive ...
  44. [44]
    Known Exploited Vulnerabilities Catalog | CISA
    CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their ...Missing: speculative | Show results with:speculative
  45. [45]
    [PDF] Machine Learning and Side-Channel Attacks on Post-Quantum ...
    Multiple side-channel studies have demonstrated key recovery through power analysis and deep learning profiling attacks [15,23,28]. • CRYSTALS-Dilithium: A ...
  46. [46]
    GateBleed: Exploiting On-Core Accelerator Power Gating for High ...
    Oct 17, 2025 · To the authors' knowledge, this is the first side-channel attack on AI privacy that exploits hardware accelerator power optimizations.
  47. [47]
    A Comprehensive Survey of Side-Channel Attacks on Memory - arXiv
    May 8, 2025 · This work aims to provide a comprehensive overview of memory-based side-channel attacks with the goal of providing significant insights for researchers and ...