Racing for Privilege
Black Hat USA 2025 · Day 1 · Briefings
Researchers from COMSEC at ETH Zurich discovered a microarchitectural race condition in Intel processors that undermines both Enhanced Indirect Branch Restricted Speculation (eIBRS) and the Indirect Branch Prediction Barrier (IBPB) — the primary hardware mitigations against Spectre-class branch target injection attacks. The vulnerability affects every recent Intel CPU with in-silicon Spectre mitigations, is demonstrated by leaking `/etc/shadow` on a fully patched Ubuntu system, and extends into VM-to-host cross-privilege attack scenarios. A microcode fix was issued by Intel. ---
AI review
ETH Zurich's COMSEC group breaks eIBRS and IBPB simultaneously with a microarchitectural race condition, live-demos leaking /etc/shadow on a fully patched Raptor Lake system, and discovers that Intel's own BHI mitigation makes the new attack easier. Seven years post-Spectre and the cat-and-mouse is not over. Drop everything.