Intel processor buyers have filed a class action lawsuit accusing the company of knowingly selling billions of processors despite knowing about security vulnerabilities that existed on them.
According to Tom’s Guide, this vulnerability is exploited by AVX2 and AVX-512 instructions through an attack that Intel calls Gather Data Sampling (GDS). Information about the upcoming lawsuit first appeared in August 2023. processors This vulnerability affects Intel from the 6th generation (Skylake) to the 11th generation (Rocket Lake), including Xeon chips based on the same architecture, potentially affecting billions of processors.
Intel admits that for a given workload, the performance drop after installing the vulnerability patch can be up to 50%. A series of tests conducted immediately after the discovery showed a performance degradation of up to 39%, and the hardest hit were applications that relied heavily on AVX2 and AVX-512 instruction sets.
In 2018, when the Downfall vulnerability was discovered, a series of news sites reported that Specter and Meltdown vulnerabilities were targeted by hackers at the speculative execution process that many modern processors use to accelerate. The calculation has been made publicly available. This caused security researchers to start looking into similar attack vectors. In June 2018, researcher Alexander Yee reported on a new variant of the Specter vulnerability for Intel processors focusing on AVX and AVX512. This information was kept strictly confidential for two months to give Intel the opportunity to take action to remedy the situation.
In fact, according to the lawsuit, Yee was not the only one to warn Intel about the AVX vulnerabilities. Specifically, the plaintiff said: “In the summer of 2018, as Intel struggled with the consequences of Specter and Meltdown, and promised to fix hardware errors for future generations of processors, the company received two separate third-party vulnerability reports addressing several vulnerabilities related to AVX for its processors.” The plaintiffs emphasized that Intel admitted to reading these reports.
The main claim in the court document requesting a jury trial in the District Court in San Jose, US, does not focus on the existence of the Downfall vulnerability or the performance penalty of the patches but rather on the actions of the Downfall vulnerability. Intel’s “sitting on its hands” move. The plaintiffs claim that the company has known about the defect behind Downfall since 2018 but still knowingly sold billions of processors since the glitch was discovered. This leaves users with only two (both unacceptable) options: buy vulnerable processors or install a patch that destroys CPU performance to protect them. That is why the plaintiff asked Intel for compensation.