Gather Data Sampling (GDS) is a significant vulnerability, also known as Downfall (CVE-2022-40982), affecting the 6th through 11th generations of consumer chips and the 1st through 4th generations of Xeon Intel x86-64 CPUs. The flaw impacts memory optimization features in these processors and allows untrusted software to access data stored by other programs, which should not be normally accessible. This security flaw was discovered by Moghimi, who found that the Gather instruction, designed to expedite scattered data access in memory, leaks the content of the internal vector register file during speculative execution.
To exploit this vulnerability, Moghimi introduced two innovative attack techniques: Gather Data Sampling (GDS) and Gather Value Injection (GVI). These techniques allow attackers to steal CPU data and manipulate microarchitectural data injections. GDS and GVI were specifically developed as part of the Downfall exploit, according to Moghimi's research paper. These techniques leverage "gather", a feature intended to speed up accessing scattered data in memory but which unfortunately leaks sensitive data during speculative execution.
Intel, aware of the vulnerability, has referred to it as Gather Data Sampling (GDS) and has issued a security advisory (INTEL-SA-00828) regarding the issue. The company has also reserved CVE-2022-40982 as the CVE-ID for this specific flaw. Despite the severity of the flaw, the proactive response from Intel suggests that mitigation strategies are underway to address this major security concern.
Description last updated: 2024-05-04T16:13:29.539Z