Intel discloses ‘Lazy FPU’ vulnerability that is similar to Meltdown but less serious

(Image credit: Intel)

A newly discovered chip vulnerability leaves owners of most Core processors susceptible to yet another side channel attack similar to Spectre and Meltdown. Fortunately, the fallout from this one shouldn't be as far reaching as those, nor is it as serious.

In a security bulletin, Intel refers to the new attack vector as a "Lazy FP state restore' bug. Red Hat is calling it a "Lazy FPU Restore" flaw. Both refer to the same thing, which is a speculative execution side channel attack affecting Sandy Bridge and newer Core processors.

"System software may utilize the Lazy FP state restore technique to delay the restoring of state until an instruction operating on that state is actually executed by the new process. Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel," Intel explains.

Put another way, the flaw provides another means for an attacker to pluck sensitive information from affected systems, and specifically from running applications, including encrypted operations. The bug takes advantage of a performance optimization technique called FPU context switching.

"A task/context switch occurs when a user application calls a kernel function or when a process is preempted to schedule the next one in the queue. Upon a task switch, the processor saves its current execution context (various registers, instruction and stack pointers, etc.) and loads the context of the new process. While doing so, it can defer restoring of FPU/SSE context state, because not all applications use the Floating Point Unit (FPU)," Red Hat explains.

A bug in Intel's Core processors allows an attacker to access those various registers and the information they contain. Colin Percival, a computer scientist and FreeBSD security officer, points out that AES encryption keys are almost always stored in SSE registers, which are affected by this bug. He also notes that there is a "narrow window for execution," and that "it's much harder than Meltdown was."

Intel lists the vulnerability as only "Moderate," adding that it's already been patched in many instances.

"The Lazy FP state restore issue is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products," Intel told HotHardware. "Our industry partners are working on software updates to address the issue for the remaining impacted environments and we expect these updates to be available in the coming weeks. We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well."

According to BleepingComputer, this vulnerability does not require any microcode updates like Spectre and Meltdown did. Instead, they can be fixed entirely by OS patches. Furthermore, those patches are not expected to introduce any performance penalties.

Paul Lilly

Paul has been playing PC games and raking his knuckles on computer hardware since the Commodore 64. He does not have any tattoos, but thinks it would be cool to get one that reads LOAD"*",8,1. In his off time, he rides motorcycles and wrestles alligators (only one of those is true).

Latest in Processors
A photo of an Intel Core Ultra 9 285K processor surrounded by DDR5 memory sticks from Corsair, Kingston, and Lexar
Fresh leak suggests Intel's on-again-off-again Arrow Lake CPU refresh is back on the menu (boys)
 photo shows a factory tool that places lids on data center system-on-chips at an Intel fab in Chandler, Arizona, in December 2023. In February 2024, Intel Corporation launched Intel Foundry as the world’s first systems foundry for the AI era, delivering leadership in technology, resiliency and sustainability.
Return of the gigahertz wars: New Chinese transistor uses bismuth instead of silicon to potentially sock it to Intel and TSMC with 40% more speed
 photo shows a factory tool that places lids on data center system-on-chips at an Intel fab in Chandler, Arizona, in December 2023. In February 2024, Intel Corporation launched Intel Foundry as the world’s first systems foundry for the AI era, delivering leadership in technology, resiliency and sustainability.
So, wait, now TSMC is supposedly pitching a joint venture with Nvidia, AMD and Broadcom to run Intel's ailing chip fabs?
Pipboy holds up an open padlock.
A BIOS update could be all that's stopping you or someone else from jailbreaking your old AMD CPU
A screenshot from Sony's PlayStation 5 Pro announcement video, showing a stylized processor against a dark background with glowing lines streaming from its edges
The AMD x Sony collab gave us FSR4 and a version will appear in PlayStation next year, too, having 'already started to implement the new neural network on PS5 Pro'
A screenshot from a YouTube video showing a sticker being pulled from the front of a fake 9800X3D CPU
This Amazon-bought fake AMD Ryzen 7 9800X3D is actually a 14-year-old Bulldozer chip with a cheap sticker on it
Latest in News
Super Mario World
Super Nintendo consoles appear to be running ever-so-slightly faster as they age and speedrunning detectives are hot on the case
A photo of an Intel Core Ultra 9 285K processor surrounded by DDR5 memory sticks from Corsair, Kingston, and Lexar
Fresh leak suggests Intel's on-again-off-again Arrow Lake CPU refresh is back on the menu (boys)
A Colorful RTX 5080 and its box
Three lucky folks in India can win the dubious honour of buying an RTX 5080 GPU at Nvidia MSRP
The Facebook 'Like' emoji logo is seen in this photo illustration on 22 August, 2023 in Warsaw, Poland. (Photo by Jaap Arriens/NurPhoto via Getty Images)
Get ready to argue with your weird Uncle on Facebook again. Meta is rolling out its new fact checking solution to it's 190 million users in the United States
Gabe Newell in a Valve promotional video, on a yacht.
Go ahead and complain the discounts aren't as steep as they used to be, but Steam just had its biggest year ever for seasonal sales
Valve Steam Deck OLED handheld PC
'The future of hardware at Valve is bright': Valve celebrates the success of Steam Deck and Steam OS