Two new vulnerabilities have been patched in the Linux kernel which, if exploited, could bypass existing mitigations for the Spectre vulnerabilities. The vulnerabilities were discovered by Piotr Krysiuk, a researcher on Symantec’s Threat Hunter team, who reported them to the Linux kernel security team. If left unpatched, the vulnerabilities mean that existing Spectre protections will not be sufficient to prevent some exploitation techniques.
The vulnerabilities in question are:
- CVE-2020-27170 – Can reveal contents from the entire memory of an affected computer
- CVE-2020-27171 – Can reveal contents from 4 GB range of kernel memory
These bugs affect all Linux machines, but would be particularly impactful on shared resources, as it would allow one malicious user to access data belonging to other users.