Recent studies have revealed two significant vulnerabilities in nearly all Intel processors. If exploited, such weaknesses could leak sensitive information and permit unauthorized attackers to access or manipulate data. The vulnerabilities, tracked as CVE-2024-28956 and CVE-2025-24495, affect multiple generations of Intel Core and Xeon processors. This development creates a major concern about the data security of users who depend on the impacted hardware.
CVE-2024-28956 has a CVSS v4 score of 5.7. It primarily affects Intel Core processors from the 9th through 11th generation and Intel Xeon processors from the 2nd through 3rd generation. This specific vulnerability is an example of Indirect Target Selection (ITS). It would allow bad actors to theoretically decrypt sensitive data stored in a processor’s cache or obtain the in-memory data of other users that happen to share the same CPU.
Kaveh Razavi, head of the Computer Security Group (COMSEC) and co-author of the study. Our collective failure to take these vulnerabilities seriously demands accountability. In doing so, he suggested that these deficiencies affect every Intel processor. This vulnerability would allow attackers to leverage the CPU’s speculative execution.
Details on CVE-2025-24495
The second vulnerability, CVE-2025-24495 has a much higher CVSS v4 score of 6.8. This problem is only directly related to Intel CPUs that use the Lion Cove core architecture. This vulnerability allows remote attackers to speculatively hijack control flow to an arbitrary address within the same domain. Yet these very actions can lead to cascading secret spillover across privilege boundaries. This pretty much re-enables classic Spectre v2 like scenarios without requiring complex exotic sandboxed worlds.
In direct response to these vulnerabilities, Intel has made moves to protect against them. As a result of this, Intel issued microcode updates to help mitigate risk from CVE-2024-28956 and CVE-2025-24495. The company said that these updates were crucial to protecting users from potential data breaches.
“Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access.” – Intel
Implications for Users and Industry Response
These vulnerabilities substantially increase the risk to individuals using impacted Intel processors. Experts have repeatedly cautioned that these flaws can completely defeat domain isolation, rendering it useless. This again allows for legacy user-user, guest-guest, and potentially guest-host Spectre-v2 attacks.
“Attackers can speculatively hijack control flow within the same domain (e.g., kernel) and leak secrets across privilege boundaries, re-enabling classic Spectre v2 scenarios without relying on powerful sandboxed environments like eBPF.” – VUSec
Additionally, AMD has updated its prior guidance on Spectre and Meltdown in response to these disclosures. The revised guidance focuses on the security hazards associated with employing classic Berkeley Packet Filter (cBPF). This just goes to show how important it is to be a vigilant user.
“Can be exploited to misuse the prediction calculations of the CPU (central processing unit) in order to gain unauthorized access to information from other processor users.” – ETH Zurich