Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Meltdown-Like ‘LazyFP’ Vulnerability Impacts Intel CPUs

Intel and software vendors have started informing users about a new vulnerability involving side channel speculative execution that could be exploited by malicious actors to obtain sensitive information from the targeted system.

Intel and software vendors have started informing users about a new vulnerability involving side channel speculative execution that could be exploited by malicious actors to obtain sensitive information from the targeted system.

Dubbed LazyFP, the security hole is related to the floating point unit (FPU), also known as the math coprocessor. The FPU is used by the operating system when switching between processes – it saves the state of the current process and restores the state of the new process.

There are two types of switching, Lazy FPU and Eager FPU switching. Lazy FPU switching provides some benefits for performance, but on modern systems the gain has become negligible, which has led to an increasing use of Eager switching.

Researchers discovered recently that if the Lazy method is used, it may be possible for an attacker to access FPU state data, which can contain sensitive information, such as cryptographic keys.LazyFP vulnerability found in Intel processors

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value,” Intel said in an advisory.

The vulnerability, tracked as CVE-2018-3665, is similar to Meltdown, specifically Variant 3a, but the issue has been assigned only a “medium” severity rating.

Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology and Zdenek Sojka from SYSGO AG have been credited for finding the vulnerability. Colin Percival has also been credited, but the researcher says he only wrote an exploit for the flaw.

Cyberus has published a blog post for the LazyFP vulnerability, but it has withheld some details at Intel’s request.

Each advisory, blog post and discussion focusing on LazyFP provides some clues as to which systems may be affected.

Intel says the vulnerability affects its Core processors, which are marketed as Xeon for servers. The company claims the issue has been addressed by operating system and hypervisor software developers for many years, and vendors that are still impacted should release updates in the coming weeks.

Systems using AMD or ARM processors do not appear to be impacted. “Based on our analysis to-date, we do not believe our products are susceptible to the recent security vulnerability identified around lazy FPU switching,” AMD told SecurityWeek.

Microsoft has yet to say exactly which versions of Windows are vulnerable, but the company noted that “Lazy restore” is enabled by default in all versions of the operating system and cannot be disabled. The tech giant assured customers that VMs running in Azure are not at risk.

AWS told customers that its infrastructure is not affected, but advised them to ensure their operating systems are always up to date. The Xen Project says systems running any version of Xen are vulnerable.

In the case of Linux, recent versions of the kernel use Eager FPU. On systems using older processors, the vulnerability can be mitigated by booting the kernel with the “eagerfpu=on” parameter to enable Eager FPU. Red Hat, DragonflyBSD and OpenBSD have published advisories.

Related: Microsoft Releases Mitigations for Spectre-Like ‘Variant 4’ Attack

Related: Intel CPUs Vulnerable to New ‘BranchScope’ Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.