In March 2022, AMD published details about a new security vulnerability affecting several of its processors. Assigned as CVE-2022-27672, this bug revolves around Simultaneous MultiThreading (SMT) and the improper speculative execution of instructions. Simply put, when SMT is enabled, some AMD CPUs may let a thread peek at data coming from its sibling, exposing potentially sensitive information. This post helps you understand the vulnerability, see sample code, and grasp the risk.
What is CVE-2022-27672?
CVE-2022-27672 is a vulnerability that affects some AMD CPUs that support SMT (think of SMT as AMD’s form of Hyper-Threading). It's about how these CPUs handle speculative execution — a feature designed to speed up processing by guessing what instructions might be needed next.
SMT allows each physical CPU core to act like two logical cores or threads. When you switch the SMT mode or context, instructions from one thread might, in some cases, get executed using data meant for the sibling thread — i.e., the other "logical core" running on the same physical core.
Normally, there should be strong separation, but this bug cracks that wall a bit, enabling information disclosure. An attacker running on one logical CPU could, in rare circumstances, infer data from another.
How it Works
When SMT is enabled and active on AMD processors, and the OS or application uses both threads, switching the SMT mode may not flush all hardware structures. Speculative execution — the CPU's habit of "guessing ahead" to save time — may use a stale or incorrect branch prediction resource. Instructions from the sibling thread can influence what the CPU "sees," leaking private details through microarchitectural state like caches or branch prediction buffers.
A Simple Exploit Scenario
Suppose Alice and Bob are both logged into the same server. If Alice is running sensitive code, and Bob can schedule code on the same CPU core, Bob could try repeatedly executing certain instructions, measuring execution time, to see what Alice is doing.
Here’s a simplified version inspired by classic side-channel attacks
// Victim: Alice's process
char secret = 'M';
// secret is stored near 'protected_memory' in RAM
// Attacker: Bob's process running on sibling thread
for (int i = ; i < 256; i++) {
flush(protected_memory + i); // Make sure cache lines are cold
}
// Wait for context switch / SMT mode switch to align with Alice
// Now, Bob performs speculative memory access
for (int i = ; i < 256; i++) {
t = timestamp();
junk = *(protected_memory + i); // Try to access each possible value
t1 = timestamp();
timings[i] = t1 - t;
}
// Analyze timings: if access to index '77' is faster, secret == 'M' (ASCII 77)
Note: Real exploits are more complex and rely on carefully controlling thread scheduling and cache flushing, but this gives you the basic idea.
What CPUs Are Affected?
- AMD CPUs with SMT enabled, especially recent Zen-architecture chips (see AMD advisory).
Are You at Risk?
- *Needs local access:* An attacker must run code on your machine and line up on the same physical core as the victim.
Disabling SMT if you handle sensitive workloads and can’t risk any leakage.
- Applying Firmware Updates: AMD released microcode updates to clean up speculative state during SMT transitions.
- Use OS Patches: Linux kernel has begun offering mitigations (Linux kernel commit).
Official References
- AMD Security Bulletin - AMD-SB-1032
- CVE-2022-27672 on NIST NVD
Final Thoughts
CVE-2022-27672 is another example of how speculative execution — something that’s meant to boost performance — can be twisted to skirt privacy boundaries inside modern CPUs. While attacks are not trivial, shared environments like the cloud should pay close attention.
Be sure to apply the latest firmware and kernel updates, and consider turning off SMT for especially sensitive systems.
If you want more details or have questions about how side-channel attacks work, comment below or check out Project Zero’s blog for deep dives into microarchitectural issues!
Timeline
Published on: 03/01/2023 08:15:00 UTC
Last modified on: 03/10/2023 01:55:00 UTC