GPU Kernel Vulnerability Allows Sensitive Data Theft
CVE-2023-4969

6.5MEDIUM

Key Information:

Vendor
Khronos Group
Status
OpenCL
Vulkan
Vendor
CVE Published:
16 January 2024

Badges

📈 Trended📈 Score: 20,500📰 News Worthy

What is CVE-2023-4969?

CVE-2023-4969 is a vulnerability associated with the software developed by the Khronos Group, which plays a significant role in defining standards for cross-platform graphics and compute APIs. This particular vulnerability pertains to a GPU kernel flaw that enables unauthorized reading of sensitive or private data from one GPU kernel by another, even across different users or applications. The impact on organizations could be substantial, as it raises concerns over data confidentiality, potentially exposing sensitive information that should remain isolated within individual user contexts.

Technical Details

The essence of CVE-2023-4969 lies in the manipulation of an optimized GPU memory region referred to as local memory. In various architectures, this region can be accessed by GPU kernels, allowing for data interchange that should normally be restricted. The flaw indicates that under certain conditions, one GPU kernel can compromise the data privacy of another by reading from this local memory, making it crucial for developers and system architects to be aware of the potential cross-regional data leakage during GPU operations.

Impact of the Vulnerability

  1. Data Theft Risk: Organizations face a tangible threat of sensitive data being compromised, as unauthorized access to private user data through GPU memory can lead to significant privacy breaches.

  2. Increased Attack Surface: The vulnerability expands the potential attack surface for adversaries, who might exploit this weakness to gain unauthorized access to sensitive computational results, thus jeopardizing user security.

  3. Reputational Damage and Compliance Issues: The possible exposure of confidential information could lead to reputational harm for organizations, along with potential violations of data protection regulations, ultimately resulting in legal consequences and financial penalties.

Affected Version(s)

OpenCL 3.0.11

Vulkan 1.3.224

News Articles

favicon imagePenetration Testing

CVE-2023-4969 Archives

VulnerabilityJanuary 16, 2024LeftoverLocals – CVE-2023-4969: The Hidden Threat in Your GPUIn the fast-paced world of high-performance computing and artificial intelligence, GPUs have emerged as indispensable...

1 year ago

favicon imageSC Magazine

AMD, Apple, Qualcomm, Imagination GPUs could leak AI secrets via ‘LeftoverLocals’

A simple 10-line program could allow an attacker to “listen” to private machine learning processes, according to researchers from Trail of Bits.

1 year ago

favicon imageisp.page

Security Research Exposes GPU Vulnerability Across Major Tech Firms

Security Research Exposes GPU Vulnerability Across Major Tech Firms - isp.page

1 year ago

References

https://registry.khronos.org/OpenCL/specs/3.0-unified/htm...
https://registry.khronos.org/vulkan/specs/1.3-extensions/...
https://kb.cert.org/vuls/id/446598

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • 📈

    Vulnerability started trending

  • 📰

    First article discovered by Penetration Testing

  • Vulnerability published

  • Vulnerability Reserved

Credit

Trail of Bits
.