CVE-2024-28956

NameCVE-2024-28956
DescriptionExposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4170-1, DSA-5924-1, DSA-5925-1
Debian Bugs1105172, 1105193

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
intel-microcode (PTS)bullseye/non-free3.20240813.1~deb11u1vulnerable
bullseye/non-free (security)3.20250512.1~deb11u1fixed
bookworm/non-free-firmware3.20250211.1~deb12u1vulnerable
bookworm/non-free-firmware (security)3.20250512.1~deb12u1fixed
trixie/non-free-firmware, sid/non-free-firmware3.20250512.1fixed
linux (PTS)bullseye5.10.223-1vulnerable
bullseye (security)5.10.237-1vulnerable
bookworm6.1.137-1vulnerable
bookworm (security)6.1.140-1fixed
trixie6.12.32-1fixed
trixie (security)6.12.31-1fixed
sid6.12.33-1fixed
xen (PTS)bullseye4.14.6-1vulnerable
bullseye (security)4.14.5+94-ge49571868d-1vulnerable
bookworm4.17.5+23-ga4e5191dc0-1+deb12u1vulnerable
bookworm (security)4.17.5+23-ga4e5191dc0-1vulnerable
trixie, sid4.20.0+68-g35cb38b222-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
intel-microcodesourcebullseye3.20250512.1~deb11u1DLA-4170-1
intel-microcodesourcebookworm3.20250512.1~deb12u1DSA-5924-1
intel-microcodesource(unstable)3.20250512.11105172
linuxsourcebookworm6.1.140-1DSA-5925-1
linuxsource(unstable)6.12.29-1
xensourcebullseye(unfixed)end-of-life
xensource(unstable)(unfixed)1105193

Notes

[bullseye] - xen <end-of-life> (EOLed in Bullseye)
https://xenbits.xen.org/xsa/advisory-469.html
https://www.vusec.net/projects/training-solo/
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/indirect-target-selection.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01153.html
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250512
Search for package or bug name: Reporting problems