Skip to content

First native Spectre V2 exploit discovered against Linux kernel

  • by
  • 3 min read

The cybersecurity world has been rattled by discovering the ‘first native Spectre V2’ exploit targeting Intel CPUs within the Linux kernel. This revelation has raised immediate concerns regarding the security of Intel systems and the adequacy of current measures against Spectre vulnerabilities.

Researchers from Vrije Universiteit Amsterdam, Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida, discovered a tool called InSpectre Gadget, designed to delve deep into Spectre gadgets and assess their exploitability with precision.

Unlike previous tools that either oversimplify or overestimate gadget exploitability, InSpectre Gadget employs symbolic execution to model data constraints and advanced exploitation techniques accurately. This gadget identified over 1,500 potential Spectre gadgets within the Linux kernel alone, exposing a significant residual attack surface.

This breakthrough represents a significant advancement in vulnerability exploitation strategies. The exploit, leveraging the recent BHI variant (CVE-2024-2201), can leak arbitrary kernel memory at a substantial rate, highlighting the seriousness of the vulnerability and complexity.

These discoveries have profound implications. The researchers successfully crafted the first native Spectre-v2 exploit against the Linux kernel on recent Intel CPUs, demonstrating the ability to leak kernel memory at a rate of 3.5 kB/sec without relying on eBPF.

These flaws circumvent deployed Intel mitigations, underscoring the ongoing challenges in adequately addressing Spectre vulnerabilities.

InSpectre Gadget overview. | Source: VUSec

This variant, unveiled in 2022, demonstrates that despite previous mitigations, cross-privilege Spectre v2 attacks remain feasible on the latest Intel CPUs.

The CPU’s Branch Target Buffer (BTB) poisoning is central to this technique, enabling the redirection of control flow by manipulating CPU predictors.

The revelation of these native Spectre V2 exploits underscores the difficulties of comprehensively mitigating Spectre vulnerabilities. Initial mitigation measures, such as disabling unprivileged eBPF, are being reevaluated in light of the exploit’s capabilities.

Experts emphasise the urgent need for robust hardware-based mitigations and enhanced software defences to effectively mitigate the risks of Spectre vulnerabilities.

The implications of this native Spectre V2 exploit extend to all Intel systems previously impacted by Spectre vulnerabilities. The successful demonstration of the exploit highlights the critical need for Intel and system administrators to reassess their security strategies and implement proactive measures to defend against similar exploits.

In addition to the exploit demonstration, this research contributes significantly to advancing the understanding of Spectre vulnerabilities and exploitation techniques.

In the News: YouTube adds four new Shopping features for creators

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: