INFBA-2025:9433: microcode_ctl security update
Information about definition
Identificator: INFBA-2025:9433
Type: bugfix
Release date: 2025-07-25 10:39:57 UTC
Information about package
The microcode_ctl packages provide microcode updates for Intel and AMD processors.
Vulnerabilities description
- CVE-2024-28956
New Spectre-v2 attack classes have been discovered within CPU architectures that enable self-training exploitation of speculative execution within the same privilege domain. These novel techniques bypass existing hardware and software mitigations, including IBPB, eIBRS, and BHI_NO, by leveraging in-kernel gadgets (potentially accessible via SECCOMP/cBPF), Branch Target Buffer (BTB) aliasing, and direct-to-indirect branch predictor training. While the root cause lies in CPU architectural behavior, the vulnerability manifests through kernel-level speculation paths, allowing attackers to potentially leak sensitive memory.
- CVE-2024-43420
Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel Atom(R) processors may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2024-45332
Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2025-20012
Incorrect behavior order for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access.
- CVE-2025-20623
Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Core™ processors (10th Generation) may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2025-24495
Incorrect initialization of resource in the branch prediction unit for some Intel(R) Core™ Ultra Processors may allow an authenticated user to potentially enable information disclosure via local access. Bug Fix * Update microcode_ctl to latest upstream [rhel-9.6.z]. * microcode_ctl: From CVEorg collector [rhel-9.6.z] (JIRA:RHEL-91226) * microcode_ctl: From CVEorg collector [rhel-9.6.z] (JIRA:RHEL-91233) * microcode_ctl: From CVEorg collector [rhel-9.6.z] (JIRA:RHEL-91241)
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-28956
|
no information | 5.6 | no information |
|
NIST — CVE-2024-43420
|
no information | 5.6 | no information |
|
NIST — CVE-2024-45332
|
no information | 5.6 | no information |
|
NIST — CVE-2025-20012
|
no information | 5.6 | no information |
|
NIST — CVE-2025-20623
|
no information | 5.6 | no information |
|
NIST — CVE-2025-24495
|
no information | 5.6 | no information |
Updated packages