CVE-2023-3006
First published: Tue Nov 08 2022(Updated: )
A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Linux Kernel | <6.1 | 6.1 |
| Linux Kernel | =6.1-rc1 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.135-1 6.12.25-1 6.12.27-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?id=0e5d5ae837c8
- https://launchpad.net/bugs/cve/CVE-2023-3006
- https://access.redhat.com/security/cve/CVE-2022-23960
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2211357
- https://access.redhat.com/errata/RHSA-2024:3462
- https://bugzilla.redhat.com/show_bug.cgi?id=2141026
- https://git.kernel.org/linus/0e5d5ae837c8ce04d2ddb874ec5f920118bd9d31
- https://security-tracker.debian.org/tracker/CVE-2023-3006
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3006
- https://nvd.nist.gov/vuln/detail/CVE-2023-3006
- https://ubuntu.com/security/CVE-2023-3006
Frequently Asked Questions
What is the severity of CVE-2023-3006?
CVE-2023-3006 is considered a critical vulnerability due to its exploitation potential in cache speculation.
How do I fix CVE-2023-3006?
To mitigate CVE-2023-3006, update the Linux kernel to version 6.1 or apply the patches provided by your distribution.
Which software versions are affected by CVE-2023-3006?
CVE-2023-3006 affects Linux kernel versions prior to 6.1, including earlier releases in the 5.x and 6.x lines.
Who is the vendor for CVE-2023-3006?
CVE-2023-3006 is associated with the Linux Kernel, managed by various Linux distributions such as Red Hat and Debian.
What type of vulnerability is CVE-2023-3006?
CVE-2023-3006 is categorized as a cache speculation vulnerability, specifically related to Branch History Injection techniques.
- collector/nvd-latest
- agent/weakness
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-3006
- agent/software-canonical-lookup
- agent/references
- agent/remedy
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- agent/trending
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.1-rc1
- package-manager/debian