Downfall CPU flaw exposes data on affected Intel systems via Gather Data Sampling
Intel, Microsoft, VMware, Xen, and Linux maintainers published mitigation guidance for Downfall / Gather Data Sampling (GDS), a transient execution side-channel vulnerability tracked as CVE-2022-40982 that affects multiple Intel processor generations from Skylake through Tiger Lake/Ice Lake-era parts. Research by Google’s Daniel Moghimi showed the flaw can leak sensitive data across security boundaries—including processes, the kernel, virtual machines, sibling threads, and some trusted execution environments—by abusing speculative execution of gather instructions to expose stale vector register contents. Reported impacts include theft of passwords, encryption keys, SGX-protected data, and other memory-derived secrets, with shared and cloud environments highlighted as particularly exposed.
Intel said mitigation relies primarily on updated microcode that blocks transient results of gather instructions from being observed speculatively, while Microsoft directed Windows customers to obtain Intel platform updates from OEMs and noted the protection is enabled by default. VMware said hypervisor patches are generally not required if underlying firmware is updated, while Xen issued advisory XSA-435 and stable-tree fixes plus options such as restricting AVX for untrusted guests. Intel and downstream guidance warned that mitigation can carry noticeable performance costs—minimal for many workloads but up to 50% for gather-heavy applications—and added that newer Intel families such as Alder Lake, Raptor Lake, and Sapphire Rapids include protections and are not considered affected.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Linux kernel documentation for GDS is published
The Linux kernel documentation published an administrative guide for Gather Data Sampling, providing platform-specific documentation for the vulnerability and its handling in Linux environments. This reflects ongoing ecosystem documentation after the original disclosure.
Microsoft publishes Windows guidance for CVE-2022-40982
Microsoft published KB5029778 with guidance for managing Gather Data Sampling on supported Windows systems running on affected Intel CPUs. It recommended Intel Platform Update 23.3 microcode from OEMs and stated the mitigation is enabled by default with no option to disable it.
Intel publishes detailed technical mitigation guidance
Intel later published expanded technical documentation describing how the GDS microcode mitigation works, default enablement, MSR controls, SGX requirements, Key Locker exposure, and guidance for Linux, Windows, and virtualized environments. The documentation also reiterated that some gather-heavy workloads may see performance degradation of up to 50%.
Intel publishes GDS threat analysis and risk guidance
Intel published a threat analysis for Gather Data Sampling assessing practical exploitability across deployment scenarios such as trusted systems, HPC, and multi-tenant cloud environments. The guidance said Intel was not aware of exploitation outside laboratory settings and advised administrators to balance threat exposure against potential performance impact when deciding whether to keep mitigations enabled.
Performance impact of Downfall mitigations reported
Follow-up reporting highlighted that Intel's Downfall mitigations could significantly reduce performance, with some tests showing drops up to 39% and Intel warning certain workloads could see even higher impact. This clarified the operational tradeoffs of deploying the microcode fix.
Xen publishes advisory and stable-branch fixes
Xen issued Security Advisory 435 for CVE-2022-40982, stating all Xen versions are affected on vulnerable Intel processors. Xen released fixes in stable versions 4.17.2, 4.16.5, 4.15.5, and 4.14.6, and also documented AVX-disabling mitigations.
VMware issues response and says hypervisor patches not required
VMware stated its hypervisors may be affected only when running on impacted Intel processors, but that VMware hypervisor patches were not required for remediation. Customers were directed to review Intel's advisory and obtain firmware updates from hardware vendors if needed.
Intel releases microcode mitigation for affected CPUs
At disclosure, Intel released microcode updates to mitigate CVE-2022-40982 on affected processors. Intel noted the mitigation is enabled by default and may impose substantial overhead on some gather-heavy workloads.
Downfall / GDS publicly disclosed by Intel and Google
Intel disclosed Gather Data Sampling on August 8, 2023, and Google researcher Daniel Moghimi publicly unveiled the Downfall attacks the same day. Public reporting described data leakage risks across processes, VMs, and SGX boundaries on affected Intel CPU generations.
Intel publishes Gather Data Sampling advisory
Intel published advisory guidance for Gather Data Sampling, documenting the transient execution flaw and vendor guidance for affected processors. This marks Intel's public advisory for CVE-2022-40982.
Downfall public site appears
A public Downfall project site was published, indicating coordinated public-facing material for the vulnerability. The exact event details are not provided in the reference beyond the site's existence.
Google researcher reports Downfall to Intel
Daniel Moghimi reported the Gather Data Sampling / Downfall vulnerability to Intel in August 2022. The issue was later tracked as CVE-2022-40982.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
GDS - Gather Data Sampling - The Linux Kernel documentation
kernel.org
Open sourceKB5029778: How to manage the vulnerability associated with CVE-2022-40982 - Microsoft Support
support.microsoft.com
Open sourceGather Data Sampling
intel.com
Open sourceThreat Analysis Guidance for Gather Data Sampling
intel.com
Open sourceGoogle unveils 'Downfall' attacks, vulnerability in Intel chips | TechTarget
techtarget.com
Open sourceoss-sec: Xen Security Advisory 435 v1 (CVE-2022-40982) - x86/Intel: Gather Data Sampling
seclists.org
Open sourceGather Data Sampling
intel.com
Open sourceDownfall
downfall.page
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Speculative-Execution CPU Flaws Exposed Data Across Intel, AMD, and ARM Systems
Researchers disclosed the **Meltdown** and **Spectre** hardware flaws, showing that speculative execution in modern processors could let attackers read sensitive data across security boundaries on affected devices. Reuters reported that **Meltdown** primarily affected Intel processors by breaking memory isolation, while **Spectre** impacted Intel, AMD, and ARM chips by tricking applications into leaking secrets such as passwords and other protected data. CERT/CC later summarized the broader issue as cache side-channel attacks against CPU hardware using speculative execution, underscoring that the weakness was architectural rather than limited to a single product line. Major vendors and cloud providers moved to contain the fallout with software, firmware, and microcode mitigations, including Microsoft Azure protections for hosted customers and public advisories from manufacturers such as Huawei. Subsequent research showed the problem persisted beyond the initial disclosures: the **ZombieLoad** attacks demonstrated additional Intel data-leakage paths tied to speculative execution, and a later **TSX Asynchronous Abort (TAA)** variant affected some processors previously thought to be resistant. Intel issued microcode updates, but researchers and vendors warned that mitigations reduced rather than eliminated risk, that exploitation generally required local code execution, and that fully disabling the underlying CPU behavior would carry significant performance costs.
May 25, 2026
Meltdown and Spectre Flaws Triggered Broad Patching and Performance Tradeoffs
Researchers disclosed the speculative-execution attacks **Meltdown** (`CVE-2017-5754`) and **Spectre** (`CVE-2017-5753`, `CVE-2017-5715`), showing that modern Intel, AMD, and ARM processors could leak sensitive data across privilege boundaries through cache-timing side channels. Google Project Zero demonstrated kernel and virtual-machine memory disclosure, while browser vendors including Mozilla confirmed that web content could abuse similar techniques, prompting Firefox to reduce timer precision and disable `SharedArrayBuffer` by default. Microsoft, Apple, Linux distributors, cloud providers, and hardware vendors issued operating-system, browser, and microcode mitigations, with Microsoft saying Azure had already been updated and Intel later announcing hardware changes for future chips. Early mitigation rollouts brought significant operational concerns, including uneven performance degradation and unstable firmware updates. Linux and macOS testing found that common desktop benchmarks often changed little, but syscall-heavy, storage, and IO-intensive workloads could slow noticeably, with some macOS microbenchmarks degrading by roughly **2x to 4x** and Windows Server or older systems expected to see larger impacts than newer Windows 10 devices. Intel’s early Spectre-related microcode updates were later linked to reboots and possible data corruption, leading Microsoft to publish an emergency update that disabled one mitigation path, while vendors such as Dell and NetApp tracked product exposure and remediation guidance as the industry continued responding to follow-on speculative-execution issues.
May 27, 2026
Intel Faced Expanded Spectre-Class CPU Flaws as Mitigations Shifted to Hardware
Researchers and industry reporting revealed that Intel processors were affected by a broader set of speculative-execution vulnerabilities beyond the original **Meltdown** and **Spectre** disclosures, including eight additional issues dubbed **Spectre-NG**. Several of the newly reported flaws were described as high risk, with at least one capable of crossing virtual machine boundaries and threatening cloud environments by exposing sensitive data such as passwords and cryptographic keys; reports also said Intel **SGX** protections were not sufficient against some of these attacks. The wider Spectre/Meltdown family affected Intel most heavily for Meltdown and Intel, AMD, and Arm for Spectre, reinforcing warnings that complete remediation would ultimately require hardware changes rather than software alone.
Jun 8, 2026