Security researchers at ETH Zürich have discovered a new speculative execution vulnerability in modern Intel processors, affecting 9th generation (Coffee Lake Refresh) and later. This flaw, named Branch Privilege Injection (BPI) and tracked as CVE-2024-45332, exploits race conditions in the branch prediction mechanism, enabling privilege escalation and unauthorized memory access.
Unlike previous speculative execution attacks such as Spectre v2, Branch Privilege Injection bypasses existing mitigations, proving that Intel’s defenses against transient execution attacks remain incomplete.
1. Overview of Branch Privilege Injection (CVE-2024-45332)
Key Details
- Vulnerability Type: Branch Predictor Race Condition
- CVSS Score: Not yet assigned
- Affected Intel CPUs: 9th Gen (Coffee Lake Refresh) through 14th Gen (Raptor Lake Refresh)
- Impact: Privilege Escalation & Kernel Memory Leaks
- Exploitation Status: Confirmed in lab environments
How It Works
Branch prediction is a key component of speculative execution, where CPUs preemptively guess the next instruction execution path to improve performance.
🚨 Branch Privilege Injection disrupts this process by exploiting asynchronous privilege transitions in Intel’s branch predictor updates.
🚨 Normally, when switching from user mode to kernel mode, the CPU updates its branch history, ensuring secure privilege transitions.
🚨 However, attackers can force outdated branch predictor entries to be carried over into higher privilege levels, tricking the CPU into executing speculative paths that should remain inaccessible.
🚨 This flaw allows attackers to leak kernel secrets, manipulate system operations, and bypass memory isolation mechanisms.
2. Exploitation & Attack Methods
Potential Attack Scenarios
🔹 Kernel Memory Disclosure – Attackers can extract privileged system data, even bypassing Spectre v2 mitigations.
🔹 Privilege Escalation – Exploiting branch predictor inconsistencies to gain unauthorized access beyond normal user permissions.
🔹 Cross-Domain Memory Leaks – Attackers compromise sandboxed virtual environments, reading memory contents that should be restricted.
Real-World Demonstration
- Researchers demonstrated Branch Privilege Injection leaking
/etc/shadowfrom kernel memory on an Intel Raptor Lake (13th Gen) processor. - Exfiltration speeds reached 5.6 KiB/s, making it highly efficient for mass data theft.
- Intel’s existing Spectre v2 defenses failed to block the attack, confirming a fundamental flaw in privilege boundary enforcement.
3. Affected Mitigations & Why They Fail
Intel’s Current Defenses Against Speculative Execution Attacks
🔹 Enhanced Indirect Branch Restricted Speculation (eIBRS)
- Designed to prevent branch predictors from carrying over privileged execution history.
- 🚨 Ineffective against Branch Privilege Injection, as predictions remain partially persistent.
🔹 Indirect Branch Prediction Barrier (IBPB)
- Used to invalidate indirect branch predictions on privilege level switches.
- 🚨 Fails against Branch Privilege Injection, as predictions are not completely erased between privilege changes.
🔹 Return Stack Buffer (RSB) Filling & LFENCE
- Supposed to block transient execution attacks by enforcing controlled execution order.
- 🚨 Insufficient against Branch Privilege Injection, since the exploit occurs within the branch predictor updates before any defensive mechanisms can take effect.
🚨 Key Takeaway: Existing Intel mitigations (Spectre v2 defenses) do not fully protect against Branch Privilege Injection.
4. Mitigation Strategies & Intel’s Response
A. Apply Microcode Updates (When Available)
✅ Intel has confirmed that firmware patches addressing branch predictor synchronization issues will be released soon.
✅ Organizations should enable automatic BIOS and firmware updates to receive fixes when available.
B. Strengthen Privilege Isolation Controls
🔹 Restrict execution of untrusted applications on high-privilege systems.
🔹 Use hardware-assisted security features to enforce strict privilege boundaries.
C. Monitor for Exploitation Attempts
🔸 Enable Intrusion Detection Systems (IDS) to track unexpected privilege transitions.
🔸 Audit CPU performance metrics for anomalous branch mispredictions, indicating speculative attack attempts.
5. Conclusion & Industry Implications
🚨 Branch Privilege Injection (CVE-2024-45332) is a major security concern, proving that Spectre-like speculative execution vulnerabilities remain unresolved in modern Intel CPUs.
🚨 Organizations using Intel 9th Gen and newer processors must prepare for upcoming security patches, restrict privilege escalations, and deploy advanced monitoring tools.
