HIGH Published 2026-03-25

x86 FRED Speculative Bypass

CVE-2026-23354

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: x86/fred: Correct speculative safety in fred_extint() array_index_nospec() is no use if the result gets spilled to the stack, as it makes the believed safe-under-speculation value subject to memory predictions. For all practical purposes, this means array_index_nospec() must be used in the expression that accesses the array. As the code currently stands, it's the wrong side of irqentry_enter(), and 'index' is put into %ebp across the function call. Remove the index variable and reposition array_index_nospec(), so it's calculated immediately before the array access.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker with local access could potentially exploit speculative execution to bypass array bounds checking in interrupt handling, possibly leading to information disclosure or privilege escalation. The impact is limited to newer Intel systems with FRED support.

Affectedarch/x86/entry/entry_fred.c

Vulnerability analysis

Summary: The vulnerability is a speculative execution bypass in the FRED (Flexible Return and Event Delivery) interrupt handling code. The issue occurs because array_index_nospec() is used incorrectly - the sanitized index value is stored in a variable that gets spilled to the stack across a function call, making it subject to memory predictions during speculative execution.

Root Cause: The original code calculates the sanitized array index using array_index_nospec() but stores it in a local variable 'index'. This variable gets spilled to the stack (into %ebp register) across the irqentry_enter() function call. During speculative execution, the CPU can predict the stack memory contents, potentially bypassing the speculation barrier and allowing out-of-bounds array access.

Attack Surface: This affects x86 systems with FRED support (Intel's new interrupt delivery mechanism). The vulnerability is in kernel interrupt handling code, so it requires local access with some level of privilege to trigger interrupt conditions that would execute this code path.

Fix Mechanism: The fix removes the intermediate 'index' variable and moves the array_index_nospec() call to be calculated immediately before the array access within the same expression. This ensures the sanitized value is used directly without being stored in memory where it could be subject to speculative memory predictions.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.77	`3bc5887b0a2b`
6.18	6.18.17	`e58f1a9b0677`
6.19	6.19.7	`92caa5274b99`
mainline	7.0	`aa280a08e7d8`