In the Linux kernel, the following vulnerability has been resolved:
arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD
Currently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't
quite right, as it is supposed to be applied after the last explicit
memory access, but is immediately followed by an LDR.
The ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to
handle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295,
which are described in:
* https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en
* https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en
In both cases the workaround is described as:
| If pagetable isolation is disabled, the context switch logic in the
| kernel can be updated to execute the following sequence on affected
| cores before exiting to EL0, and after all explicit memory accesses:
|
| 1. A non-shareable TLBI to any context and/or address, including
| unused contexts or addresses, such as a `TLBI VALE1 Xzr`.
|
| 2. A DSB NSH to guarantee completion of the TLBI.
The important part being that the TLBI+DSB must be placed "after all
explicit memory accesses".
Unfortunately, as-implemented, the TLBI+DSB is immediately followed by
an LDR, as we have:
| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD
| tlbi vale1, xzr
| dsb nsh
| alternative_else_nop_endif
| alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0
| ldr lr, [sp, #S_LR]
| add sp, sp, #PT_REGS_SIZE // restore sp
| eret
| alternative_else_nop_endif
|
| [ ... KPTI exception return path ... ]
This patch fixes this by reworking the logic to place the TLBI+DSB
immediately before the ERET, after all explicit memory accesses.
The ERET is currently in a separate alternative block, and alternatives
cannot be nested. To account for this, the alternative block for
ARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch
to skip the KPTI logic, with the new shape of the logic being:
| alternative_insn "b .L_skip_tramp_exit_\@", nop, ARM64_UNMAP_KERNEL_AT_EL0
| [ ... KPTI exception return path ... ]
| .L_skip_tramp_exit_\@:
|
| ldr lr, [sp, #S_LR]
| add sp, sp, #PT_REGS_SIZE // restore sp
|
| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD
| tlbi vale1, xzr
| dsb nsh
| alternative_else_nop_endif
| eret
The new structure means that the workaround is only applied when KPTI is
not in use; this is fine as noted in the documented implications of the
erratum:
| Pagetable isolation between EL0 and higher level ELs prevents the
| issue from occurring.
... and as per the workaround description quoted above, the workaround
is only necessary "If pagetable isolation is disabled".
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel ARM64 issue where a CPU erratum workaround was placed too early. On affected ARM64 systems, especially Cortex-A520 or Cortex-A510 cores without page-table isolation, local users could trigger a denial-of-service condition. The public sources do not show active exploitation.
Executive priority
Treat as a targeted platform reliability risk, not a broad internet-facing emergency. Prioritize patching ARM64 Linux systems with affected cores and local multi-user or workload-isolation exposure.
Technical view
ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD should run TLBI plus DSB after all explicit memory accesses before ERET. The vulnerable logic executed an LDR after the workaround, weakening the intended Cortex-A520 and Cortex-A510 erratum mitigation. The fix reorders exception-return logic so the workaround runs immediately before ERET when KPTI is not used.
Likely exposure
Exposure is limited to ARM64 Linux systems using affected kernel versions on affected Cortex-A520 or Cortex-A510 cores, particularly where KPTI is disabled. Generic x86 Linux systems are not implicated by the provided sources.
Exploitation context
The CVSS vector is local, low complexity, low privileges, no user interaction, with high availability impact. The CVE is not listed as KEV in the source bundle, and no cited source states active exploitation.
Researcher notes
The source evidence is kernel-fix focused. It identifies incorrect instruction ordering around TLBI, DSB, LDR, and ERET, and states page-table isolation prevents the issue. It does not provide public exploit details or a distro-by-distro fixed version matrix.
Mitigation direction
Apply Linux stable or distribution kernel updates containing the referenced fixes.
Check vendor advisories for exact backported package versions.
Prioritize ARM64 fleets using Cortex-A520 or Cortex-A510 cores.
Use page-table isolation where vendor guidance says it prevents this issue.
Avoid direct wrangler or deployment assumptions; follow local kernel vendor processes.
Validation and detection
Inventory ARM64 Linux kernel versions across affected platforms.
Identify systems using Cortex-A520 or Cortex-A510 cores.
Confirm whether KPTI or equivalent page-table isolation is enabled.
Verify the running kernel includes the relevant stable fix or vendor backport.
Track this CVE in vulnerability management until patched or ruled out.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-787: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-787 · source CWE mapping
Out-of-bounds Write
Out-of-bounds Write represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.