CVE-2023-28746

NameCVE-2023-28746
DescriptionInformation exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3808-1, DLA-3842-1, DSA-5681-1, ELA-1088-1, ELA-1093-1
Debian Bugs1066108

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
intel-microcode (PTS)jessie/non-free3.20240312.1~deb8u1fixed
jessie/non-free (lts)3.20230214.1~deb8u1vulnerable
stretch/non-free3.20240312.1~deb9u1fixed
stretch/non-free (security)3.20210608.2~deb9u2vulnerable
stretch/non-free (lts)3.20230214.1~deb9u1vulnerable
buster/non-free (security), buster/non-free3.20240312.1~deb10u1fixed
bullseye/non-free3.20240514.1~deb11u1fixed
bullseye/non-free (security)3.20231114.1~deb11u1vulnerable
bookworm/non-free-firmware3.20240514.1~deb12u1fixed
bookworm/non-free-firmware (security)3.20231114.1~deb12u1vulnerable
trixie/non-free-firmware, sid/non-free-firmware3.20240531.1+nmu1fixed
linux (PTS)jessie, jessie (lts)3.16.84-1vulnerable
stretch (security)4.9.320-2vulnerable
stretch (lts), stretch4.9.320-3vulnerable
buster (security), buster, buster (lts)4.19.316-1vulnerable
bullseye5.10.218-1fixed
bullseye (security)5.10.221-1fixed
bookworm6.1.94-1fixed
bookworm (security)6.1.99-1fixed
trixie6.9.10-1fixed
sid6.9.11-1fixed
linux-5.10 (PTS)jessie, jessie (lts)5.10.218-1~deb8u1fixed
stretch (lts), stretch5.10.218-1~deb9u1fixed
buster (security), buster, buster (lts)5.10.218-1~deb10u1fixed
xen (PTS)jessie, jessie (lts)4.4.4lts5-0+deb8u1vulnerable
stretch (security), stretch (lts), stretch4.8.5.final+shim4.10.4-1+deb9u12vulnerable
buster (security), buster, buster (lts)4.11.4+107-gef32c7afa2-1vulnerable
bullseye4.14.6-1vulnerable
bullseye (security)4.14.5+94-ge49571868d-1vulnerable
bookworm4.17.3+10-g091466ba55-1~deb12u1vulnerable
sid, trixie4.17.3+36-g54dacb5c02-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
intel-microcodesourcejessie3.20240312.1~deb8u1ELA-1088-1
intel-microcodesourcestretch3.20240312.1~deb9u1ELA-1088-1
intel-microcodesourcebuster3.20240312.1~deb10u1DLA-3808-1
intel-microcodesourcebullseye3.20240312.1~deb11u1
intel-microcodesourcebookworm3.20240312.1~deb12u1
intel-microcodesource(unstable)3.20240312.11066108
linuxsourcejessie(unfixed)end-of-life
linuxsourcestretch(unfixed)end-of-life
linuxsourcebuster(unfixed)end-of-life
linuxsourcebullseye5.10.216-1DSA-5681-1
linuxsourcebookworm6.1.82-1
linuxsource(unstable)6.7.9-2
linux-5.10sourcejessie5.10.216-1~deb8u1ELA-1093-1
linux-5.10sourcestretch5.10.216-1~deb9u1ELA-1093-1
linux-5.10sourcebuster5.10.216-1~deb10u1DLA-3842-1
xensourcejessie(unfixed)end-of-life
xensourcestretch(unfixed)end-of-life
xensourcebuster(unfixed)end-of-life
xensourcebullseye(unfixed)end-of-life
xensource(unstable)(unfixed)

Notes

[bookworm] - xen <postponed> (Minor issue, fix along in next DSA)
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
https://www.openwall.com/lists/oss-security/2024/03/12/13
https://xenbits.xen.org/xsa/advisory-452.html
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html
Search for package or bug name: Reporting problems