1. Home
  2. CWE Database
  3. CWE-1342
Base · Medium

CWE-1342: Information Exposure through Microarchitectural State after Transient Execution

The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.

CWE-1342 · Base Level ·1 CVEs ·2 Mitigations

Description

The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.

In many processor architectures an exception, mis-speculation, or microcode assist results in a flush operation to clear results that are no longer required. This action prevents these results from influencing architectural state that is intended to be visible from software. However, traces of this transient execution may remain in microarchitectural buffers, resulting in a change in microarchitectural state that can expose sensitive information to an attacker using side-channel analysis. For example, Load Value Injection (LVI) [REF-1202] can exploit direct injection of erroneous values into intermediate load and store buffers. Several conditions may need to be fulfilled for a successful attack:

Potential Impact

Confidentiality, Integrity

Modify Memory, Read Memory, Execute Unauthorized Code or Commands

Demonstrative Examples

Faulting loads in a victim domain may trigger incorrect transient forwarding, which leaves secret-dependent traces in the microarchitectural state. Consider this example from [REF-1203].
Consider the code gadget:
Bad
void call_victim(size_t untrusted_arg) {
					    
					      *arg_copy = untrusted_arg;
					      array[**trusted_ptr * 4096];
					    
					    }

Mitigations & Prevention

Architecture and DesignRequirements High

Hardware ensures that no illegal data flows from faulting micro-ops exists at the microarchitectural level.

Build and Compilation High

Include instructions that explicitly remove traces of unneeded computations from software interactions with microarchitectural elements e.g. lfence, sfence, mfence, clflush.

Real-World CVE Examples

CVE IDDescription
CVE-2020-0551Load value injection in some processors utilizing speculative execution may allow an authenticated user to enable information disclosure via a side-channel with local access.

CWE-226: Sensitive Information in Resource Not Removed Before Reuse

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not cle...

Frequently Asked Questions

What is CWE-1342?

CWE-1342 (Information Exposure through Microarchitectural State after Transient Execution) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.

How can CWE-1342 be exploited?

Attackers can exploit CWE-1342 (Information Exposure through Microarchitectural State after Transient Execution) to modify memory, read memory, execute unauthorized code or commands. This weakness is typically introduced during the Architecture and Design, Requirements phase of software development.

How do I prevent CWE-1342?

Key mitigations include: Hardware ensures that no illegal data flows from faulting micro-ops exists at the microarchitectural level.

What is the severity of CWE-1342?

CWE-1342 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.