Researchers from VUSec have discovered three attack variants that compromise isolation between domains and allow for kernel memory leakage in modern processors. Intel and Linux are already working on patches, but the impact is profound.
A new deep architectural security threat is shaking the ecosystem of modern processors. Dubbed “Training Solo”, this vulnerability has been revealed by the security research team at Vrije Universiteit Amsterdam (VUSec), known for previously uncovering flaws like NetSpectre and Microarchitectural Data Sampling.
It affects both Intel CPUs and Arm designs, representing a troubling evolution of Spectre v2-like attacks that exploit speculative execution and branch prediction to access sensitive memory.
What is “Training Solo” and Why It Matters
Training Solo challenges the key principle on which Spectre v2 mitigations have been based for the past six years: that isolation between execution domains—such as user processes, the kernel, or virtual machines—is sufficient to thwart speculative exploitation.
According to the researchers, this assumption is false. Training Solo enables attacks within the same execution domain or even leaks data between isolated domains, undermining one of the pillars of security in the Linux kernel and modern hypervisors.
Specifically, the attack combines training techniques and speculative control flow hijacking within the victim domain, without requiring elevated privileges for the attacker. VUSec has demonstrated two functional exploits capable of leaking kernel data at speeds of up to 17 KB/s on next-generation Intel CPUs.
Three Variants, Multiple Patches
The researchers identify three distinct variants of Training Solo:
- ITS (Indirect Target Selection): affects the prediction of indirect branches. Requires Intel microcode and patches for the Linux kernel and KVM.
- Intel “Lion Cove” core-specific variant: requires differential mitigation still under evaluation.
- Mixed third variant (Intel and Arm): requires both new microcode and software updates in both environments.
Affected CPUs
The list of affected models is extensive, including:
- Intel Cascade Lake, Cooper Lake, Comet Lake, Whiskey Lake V
- Coffee Lake R, Ice Lake, Tiger Lake, Rocket Lake
- Some Lion Cove cores, present in the most recent platforms
For Arm, specific affected cores have not yet been publicly detailed, but it is confirmed that general-purpose designs used in servers and mobile devices could also be exposed.
Impact and Response
The Linux kernel has already begun integrating the corresponding patches, including:
- The ITS mitigation, which corrects erroneous cache branch predictions.
- A new mechanism to protect the execution of cBPF (Common Berkeley Packet Filter) programs, which are widely used in cloud and security environments.
- The introduction of a new instruction called IBHF (Indirect Branch History Fence), which acts as a barrier against speculative branch history reuse.
Intel has confirmed the existence of the flaw and is working with operating system vendors to deploy updated microcode in the coming days.
An Ongoing Risk for Virtualized and Cloud Environments
The most concerning aspect of Training Solo is that it directly affects isolation between user, kernel, virtual machine, and hypervisor, a security model that underpins everything from conventional operating systems to large-scale cloud infrastructure.
This type of vulnerability could, in extreme scenarios, allow an attacker from one virtual machine to access data from others if appropriate mitigations are not applied. While practical exploitation requires specific conditions and advanced knowledge, the theoretical risk is significant.
Are We Back to the Days of Meltdown and Spectre?
The security community considers “Training Solo” to be the most relevant finding since Meltdown and Spectre in 2018. Although manufacturers have hardened protections, this case demonstrates that speculative execution remains a source of attack vectors, and protecting it requires constant effort.
“This is a classic CPU bug where the behavior is obviously erroneous, but not enough to be detected without in-depth analysis,” stated Dave Hansen, Intel engineer, in the kernel development forums.
Recommendations
For end-users:
- Apply operating system and firmware updates as soon as they are available.
- Avoid untrusted shared environments when using unpatched kernel versions.
For administrators and enterprises:
- Update processor microcode and Linux kernel patches or hypervisors like KVM.
- Monitor the use of eBPF and ensure that mitigated versions are being utilized.
- Isolate critical or sensitive workloads in virtualized environments more rigorously.
“Training Solo” serves as a new reminder that modern architecture continues to harbor deep risks that can emerge over time, even after years of scrutiny. Given the increasing complexity of processors, the balance between performance and security remains fragile. In that regard, every new optimization can hide, as in this case, an unintended backdoor.
Based on the technical report from VUSec, Phoronix, and contributions from the Linux kernel team.