CVE-2023-52874: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro In the TDX_HYPERCALL asm, after the TDCALL instruction returns from the untrusted VMM, the registers that the TDX guest shares to the VMM need to be cleared to avoid speculative execution of VMM-provided values. RSI is specified in the bitmap of those registers, but it is missing when zeroing out those registers in the current TDX_HYPERCALL. It was there when it was originally added in commit 752d13305c78 ("x86/tdx: Expand __tdx_hypercall() to handle more arguments"), but was later removed in commit 1e70c680375a ("x86/tdx: Do not corrupt frame-pointer in __tdx_hypercall()"), which was correct because %rsi is later restored in the "pop %rsi". However a later commit 7a3a401874be ("x86/tdx: Drop flags from __tdx_hypercall()") removed that "pop %rsi" but forgot to add the "xor %rsi, %rsi" back. Fix by adding it back.
AI Analysis
Technical Summary
CVE-2023-52874 is a vulnerability identified in the Linux kernel specifically related to the Intel Trust Domain Extensions (TDX) hypercall implementation on x86 architectures. TDX is a technology designed to provide hardware-isolated virtual machines, called Trust Domains (TDs), which protect guest VMs from a potentially compromised hypervisor. The vulnerability arises from improper clearing of the RSI register after the TDCALL instruction returns control from the untrusted Virtual Machine Monitor (VMM) to the TDX guest. The TDX_HYPERCALL macro is responsible for managing hypercall invocations between the guest and the VMM, and it must clear registers shared with the VMM to prevent speculative execution attacks that could leak sensitive data. Initially, the RSI register was zeroed out to mitigate this risk, but due to a sequence of code changes, the explicit clearing of RSI was removed without being reintroduced, leaving RSI potentially containing stale or attacker-controlled data. This omission could allow speculative execution side-channel attacks where the guest might speculatively execute instructions based on maliciously crafted RSI values provided by the VMM, potentially leading to information disclosure or other side effects. The fix involves reintroducing the zeroing of the RSI register after the TDCALL instruction to ensure no residual data remains that could be exploited. This vulnerability is subtle and specific to the TDX hypercall mechanism, affecting Linux kernel versions containing the identified commits. No known exploits are currently reported in the wild, and the vulnerability was responsibly disclosed and patched promptly.
Potential Impact
For European organizations, the impact of CVE-2023-52874 depends largely on their use of Intel TDX technology within Linux environments. Organizations leveraging TDX-enabled virtualization for sensitive workloads—such as financial institutions, government agencies, and cloud service providers—could face risks of speculative execution side-channel attacks that might lead to leakage of confidential information processed within Trust Domains. Although exploitation requires a malicious or compromised VMM, the vulnerability undermines the isolation guarantees TDX aims to provide. This could erode trust in hardware-based virtualization security and potentially expose sensitive data or cryptographic keys. Since TDX is a relatively new technology, widespread deployment is still limited but growing, especially in sectors prioritizing confidential computing. The vulnerability does not directly affect the availability or integrity of systems but poses a confidentiality risk. European organizations using Linux kernels with affected commits in environments where TDX is enabled should consider this vulnerability critical to address to maintain strong isolation boundaries and comply with data protection regulations such as GDPR, which mandate safeguarding personal and sensitive data against unauthorized access.
Mitigation Recommendations
To mitigate CVE-2023-52874, European organizations should: 1) Apply the official Linux kernel patches that reintroduce the zeroing of the RSI register in the TDX_HYPERCALL macro as soon as possible. This is the definitive fix and prevents speculative execution attacks via stale RSI values. 2) Audit and inventory all Linux systems running on Intel hardware with TDX enabled to identify affected kernel versions, focusing on those containing the commits mentioned in the vulnerability description. 3) If immediate patching is not feasible, consider disabling TDX support temporarily to eliminate the attack surface, especially in high-security environments. 4) Monitor vendor advisories and kernel updates regularly to ensure no further regressions or related vulnerabilities appear in TDX hypercall handling. 5) Employ runtime monitoring and anomaly detection tools capable of identifying unusual hypercall behavior or speculative execution side-channel attack patterns. 6) Educate system administrators and security teams about the importance of hardware-assisted isolation features and the risks posed by speculative execution vulnerabilities to maintain vigilance. 7) Coordinate with cloud providers or third-party virtualization service vendors to confirm their TDX implementations are patched and secure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2023-52874: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Zero out the missing RSI in TDX_HYPERCALL macro In the TDX_HYPERCALL asm, after the TDCALL instruction returns from the untrusted VMM, the registers that the TDX guest shares to the VMM need to be cleared to avoid speculative execution of VMM-provided values. RSI is specified in the bitmap of those registers, but it is missing when zeroing out those registers in the current TDX_HYPERCALL. It was there when it was originally added in commit 752d13305c78 ("x86/tdx: Expand __tdx_hypercall() to handle more arguments"), but was later removed in commit 1e70c680375a ("x86/tdx: Do not corrupt frame-pointer in __tdx_hypercall()"), which was correct because %rsi is later restored in the "pop %rsi". However a later commit 7a3a401874be ("x86/tdx: Drop flags from __tdx_hypercall()") removed that "pop %rsi" but forgot to add the "xor %rsi, %rsi" back. Fix by adding it back.
AI-Powered Analysis
Technical Analysis
CVE-2023-52874 is a vulnerability identified in the Linux kernel specifically related to the Intel Trust Domain Extensions (TDX) hypercall implementation on x86 architectures. TDX is a technology designed to provide hardware-isolated virtual machines, called Trust Domains (TDs), which protect guest VMs from a potentially compromised hypervisor. The vulnerability arises from improper clearing of the RSI register after the TDCALL instruction returns control from the untrusted Virtual Machine Monitor (VMM) to the TDX guest. The TDX_HYPERCALL macro is responsible for managing hypercall invocations between the guest and the VMM, and it must clear registers shared with the VMM to prevent speculative execution attacks that could leak sensitive data. Initially, the RSI register was zeroed out to mitigate this risk, but due to a sequence of code changes, the explicit clearing of RSI was removed without being reintroduced, leaving RSI potentially containing stale or attacker-controlled data. This omission could allow speculative execution side-channel attacks where the guest might speculatively execute instructions based on maliciously crafted RSI values provided by the VMM, potentially leading to information disclosure or other side effects. The fix involves reintroducing the zeroing of the RSI register after the TDCALL instruction to ensure no residual data remains that could be exploited. This vulnerability is subtle and specific to the TDX hypercall mechanism, affecting Linux kernel versions containing the identified commits. No known exploits are currently reported in the wild, and the vulnerability was responsibly disclosed and patched promptly.
Potential Impact
For European organizations, the impact of CVE-2023-52874 depends largely on their use of Intel TDX technology within Linux environments. Organizations leveraging TDX-enabled virtualization for sensitive workloads—such as financial institutions, government agencies, and cloud service providers—could face risks of speculative execution side-channel attacks that might lead to leakage of confidential information processed within Trust Domains. Although exploitation requires a malicious or compromised VMM, the vulnerability undermines the isolation guarantees TDX aims to provide. This could erode trust in hardware-based virtualization security and potentially expose sensitive data or cryptographic keys. Since TDX is a relatively new technology, widespread deployment is still limited but growing, especially in sectors prioritizing confidential computing. The vulnerability does not directly affect the availability or integrity of systems but poses a confidentiality risk. European organizations using Linux kernels with affected commits in environments where TDX is enabled should consider this vulnerability critical to address to maintain strong isolation boundaries and comply with data protection regulations such as GDPR, which mandate safeguarding personal and sensitive data against unauthorized access.
Mitigation Recommendations
To mitigate CVE-2023-52874, European organizations should: 1) Apply the official Linux kernel patches that reintroduce the zeroing of the RSI register in the TDX_HYPERCALL macro as soon as possible. This is the definitive fix and prevents speculative execution attacks via stale RSI values. 2) Audit and inventory all Linux systems running on Intel hardware with TDX enabled to identify affected kernel versions, focusing on those containing the commits mentioned in the vulnerability description. 3) If immediate patching is not feasible, consider disabling TDX support temporarily to eliminate the attack surface, especially in high-security environments. 4) Monitor vendor advisories and kernel updates regularly to ensure no further regressions or related vulnerabilities appear in TDX hypercall handling. 5) Employ runtime monitoring and anomaly detection tools capable of identifying unusual hypercall behavior or speculative execution side-channel attack patterns. 6) Educate system administrators and security teams about the importance of hardware-assisted isolation features and the risks posed by speculative execution vulnerabilities to maintain vigilance. 7) Coordinate with cloud providers or third-party virtualization service vendors to confirm their TDX implementations are patched and secure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T15:19:24.264Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe77ec
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/1/2025, 8:10:14 AM
Last updated: 7/27/2025, 7:18:25 AM
Views: 11
Related Threats
CVE-2025-8885: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.