FERRAMENTAS LINUX: Critical Linux Kernel Security Update: ELSA-2025-20323 Patch Fixes CVE-2024-28956

quarta-feira, 14 de maio de 2025

Critical Linux Kernel Security Update: ELSA-2025-20323 Patch Fixes CVE-2024-28956

Critical Linux kernel security update (ELSA-2025-20323) patches CVE-2024-28956, a high-risk x86 ITS flaw. Learn why enterprises must apply this patch to prevent speculative execution attacks and ensure compliance. Includes BPF & BHI fixes.

Why This Update Matters for Enterprise Security

The latest Unbreakable Enterprise Kernel (UEK) security update (ELSA-2025-20323) addresses critical vulnerabilities, including CVE-2024-28956, a high-risk flaw in x86 Indirect Target Selection (ITS).

This patch is essential for IT administrators, cybersecurity professionals, and DevOps teams managing Linux-based cloud infrastructure, enterprise servers, and high-performance computing environments.

🔴 Impact Level: IMPORTANT | Release Date: May 12, 2025

Key Security Fixes in This Kernel Update

This patch includes critical mitigations for Branch History Injection (BHI) and Indirect Target Selection (ITS) exploits, which could allow attackers to bypass hardware security protections.

Critical Vulnerabilities Patched

✅ CVE-2024-28956 – A severe x86 ITS vulnerability enabling speculative execution attacks.

✅ BHI (Branch History Injection) fixes – Prevents exploitation in 32-bit mode.

✅ Enhanced BPF security – Mitigates risks in classic BPF execution.

Technical Breakdown of Key Fixes

x86/ITS Mitigations
- Added ITS-safe return thunk to prevent speculative execution exploits.
- Introduced vmexit option to skip mitigations on unaffected CPUs (improving performance).
- Optimized RET alignment in BHB (Branch History Buffer) clearing sequences.
BPF & SELinux Enhancements
- Classic BPF now includes IBHF calls for secure branch history clearing.
- New x86 selftests for ITS validation.