{"api_version":"1","generated_at":"2026-04-22T23:52:44+00:00","cve":"CVE-2023-1998","urls":{"html":"https://cve.report/CVE-2023-1998","api":"https://cve.report/api/cve/CVE-2023-1998.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-1998","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-1998"},"summary":{"title":"CVE-2023-1998","description":"The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.\n\nThis happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.","state":"PUBLIC","assigner":"security@google.com","published_at":"2023-04-21 15:15:00","updated_at":"2023-05-03 15:16:00"},"problem_types":["CWE-203"],"metrics":[],"references":[{"url":"https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx","name":"https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx","refsource":"MISC","tags":[],"title":"Linux Kernel: Spectre v2 SMT mitigations problem · Advisory · google/security-research · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html","name":"https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html","refsource":"MISC","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 3403-1] linux security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html","name":"https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html","refsource":"MISC","tags":[],"title":"[SECURITY] [DLA 3404-1] linux-5.10 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d","name":"https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d","refsource":"MISC","tags":[],"title":"x86/speculation: Allow enabling STIBP with legacy IBRS · torvalds/linux@6921ed9 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d","name":"https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d","refsource":"MISC","tags":[],"title":"????????","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-1998","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1998","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"1998","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"1998","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-1998","qid":"160837","title":"Oracle Enterprise Linux Security Update for kernel (ELSA-2023-4377)"},{"cve":"CVE-2023-1998","qid":"161147","title":"Oracle Enterprise Linux Security Update for kernel (ELSA-2023-7077)"},{"cve":"CVE-2023-1998","qid":"181765","title":"Debian Security Update for linux-5.10 (DLA 3404-1)"},{"cve":"CVE-2023-1998","qid":"181768","title":"Debian Security Update for linux (DLA 3403-1)"},{"cve":"CVE-2023-1998","qid":"184827","title":"Debian Security Update for linux (CVE-2023-1998)"},{"cve":"CVE-2023-1998","qid":"199298","title":"Ubuntu Security Notification for Linux kernel (OEM) Vulnerabilities (USN-6033-1)"},{"cve":"CVE-2023-1998","qid":"199424","title":"Ubuntu Security Notification for Linux kernel Vulnerabilities (USN-6172-1)"},{"cve":"CVE-2023-1998","qid":"199425","title":"Ubuntu Security Notification for Linux kernel Vulnerabilities (USN-6171-1)"},{"cve":"CVE-2023-1998","qid":"199438","title":"Ubuntu Security Notification for Linux kernel (IBM) Vulnerabilities (USN-6187-1)"},{"cve":"CVE-2023-1998","qid":"199439","title":"Ubuntu Security Notification for Linux kernel Vulnerabilities (USN-6185-1)"},{"cve":"CVE-2023-1998","qid":"199451","title":"Ubuntu Security Notification for Linux kernel (Intel IoTG) Vulnerabilities (USN-6207-1)"},{"cve":"CVE-2023-1998","qid":"199463","title":"Ubuntu Security Notification for Linux kernel (Azure CVM) Vulnerabilities (USN-6223-1)"},{"cve":"CVE-2023-1998","qid":"199465","title":"Ubuntu Security Notification for Linux kernel (Xilinx ZynqMP) Vulnerabilities (USN-6222-1)"},{"cve":"CVE-2023-1998","qid":"199614","title":"Ubuntu Security Notification for Linux kernel (IoT) Vulnerabilities (USN-6256-1)"},{"cve":"CVE-2023-1998","qid":"241878","title":"Red Hat Update for kernel security (RHSA-2023:4377)"},{"cve":"CVE-2023-1998","qid":"241886","title":"Red Hat Update for kernel-rt (RHSA-2023:4378)"},{"cve":"CVE-2023-1998","qid":"242154","title":"Red Hat Update for kernel (RHSA-2023:5604)"},{"cve":"CVE-2023-1998","qid":"242157","title":"Red Hat Update for kernel-rt (RHSA-2023:5603)"},{"cve":"CVE-2023-1998","qid":"242434","title":"Red Hat Update for kernel-rt security (RHSA-2023:6901)"},{"cve":"CVE-2023-1998","qid":"242451","title":"Red Hat Update for kernel security (RHSA-2023:7077)"},{"cve":"CVE-2023-1998","qid":"242855","title":"Red Hat Update for kernel (RHSA-2024:0412)"},{"cve":"CVE-2023-1998","qid":"355138","title":"Amazon Linux Security Advisory for kernel : ALAS-2023-138"},{"cve":"CVE-2023-1998","qid":"355288","title":"Amazon Linux Security Advisory for kernel : ALAS-2023-138"},{"cve":"CVE-2023-1998","qid":"355291","title":"Amazon Linux Security Advisory for kernel : ALAS-2023-138"},{"cve":"CVE-2023-1998","qid":"355297","title":"Amazon Linux Security Advisory for kernel : ALAS-2023-138"},{"cve":"CVE-2023-1998","qid":"355301","title":"Amazon Linux Security Advisory for kernel : ALAS-2023-138"},{"cve":"CVE-2023-1998","qid":"355305","title":"Amazon Linux Security Advisory for kernel : ALAS-2023-138"},{"cve":"CVE-2023-1998","qid":"355307","title":"Amazon Linux Security Advisory for kernel : ALAS-2023-138"},{"cve":"CVE-2023-1998","qid":"355314","title":"Amazon Linux Security Advisory for kernel : ALAS2023-2023-138"},{"cve":"CVE-2023-1998","qid":"673393","title":"EulerOS Security Update for kernel (EulerOS-SA-2023-2647)"},{"cve":"CVE-2023-1998","qid":"674113","title":"EulerOS Security Update for kernel (EulerOS-SA-2023-2689)"},{"cve":"CVE-2023-1998","qid":"753980","title":"SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2023:2151-1)"},{"cve":"CVE-2023-1998","qid":"753981","title":"SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2023:2146-1)"},{"cve":"CVE-2023-1998","qid":"753982","title":"SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2023:2148-1)"},{"cve":"CVE-2023-1998","qid":"753985","title":"SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2023:2162-1)"},{"cve":"CVE-2023-1998","qid":"754005","title":"SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2023:2163-1)"},{"cve":"CVE-2023-1998","qid":"754023","title":"SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2023:2232-1)"},{"cve":"CVE-2023-1998","qid":"755851","title":"SUSE Enterprise Linux Security Update for the linux kernel (SUSE-SU-2023:2646-1)"},{"cve":"CVE-2023-1998","qid":"906894","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (26372-1)"},{"cve":"CVE-2023-1998","qid":"906902","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for kernel (26368-1)"},{"cve":"CVE-2023-1998","qid":"907090","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for hyperv-daemons (26234-1)"},{"cve":"CVE-2023-1998","qid":"907149","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for hyperv-daemons (26261-1)"},{"cve":"CVE-2023-1998","qid":"941213","title":"AlmaLinux Security Update for kernel (ALSA-2023:4377)"},{"cve":"CVE-2023-1998","qid":"941214","title":"AlmaLinux Security Update for kernel-rt (ALSA-2023:4378)"},{"cve":"CVE-2023-1998","qid":"941453","title":"AlmaLinux Security Update for kernel (ALSA-2023:7077)"},{"cve":"CVE-2023-1998","qid":"960961","title":"Rocky Linux Security Update for kernel-rt (RLSA-2023:4378)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-1998","ASSIGNER":"security@google.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.\n\nThis happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.\n\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-1303 Non-Transparent Sharing of Microarchitectural Resources","cweId":"CWE-1303"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Linux","product":{"product_data":[{"product_name":"Linux Kernel","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"6.3"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx","refsource":"MISC","name":"https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx"},{"url":"https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d","refsource":"MISC","name":"https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d"},{"url":"https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d","refsource":"MISC","name":"https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d"},{"url":"https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-04-21 15:15:00","lastModifiedDate":"2023-05-03 15:16:00","problem_types":["CWE-203"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.6,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.1,"impactScore":4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}