Ubuntu updates to mitigate new Microarchitectural Data Sampling (MDS) vulnerabilities

This article was last updated 5 years ago.


Microarchitectural Data Sampling (MDS) describes a group of vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) in various Intel microprocessors, which allow a malicious process to read various information from another process which is executing on the same CPU core. This occurs due to the use of various microarchitectural elements (buffers) within the CPU core. If one process is able to speculatively sample data from these buffers, it can infer their contents and read data belonging to another process since these buffers are not cleared when switching between processes. This includes switching between two different userspace processes, switching between kernel and userspace and switching between the host and a guest when using virtualisation.

In the case of a single process being scheduled to a single CPU thread, it is relatively simple to mitigate this vulnerability by clearing these buffers when scheduling a new process onto the CPU thread. To achieve this, Intel have released an updated microcode which combined with changes to the Linux kernel ensure these buffers are appropriately cleared.

Updated versions of the intel-microcode, qemu and linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users. As these vulnerabilities affect such a large range of Intel processors (across laptop, desktop and server machines), a large percentage of Ubuntu users are expected to be impacted – users are encouraged to install these updated packages as soon as they become available.

The use of Symmetric Multi-Threading (SMT) – also known as Hyper-Threading – further complicates these issues since these buffers are shared between sibling Hyper-Threads. Therefore, the above changes are not sufficient to mitigate these vulnerabilities when SMT is enabled. As such, the use of SMT is not recommended when untrusted code or applications are being executed.

For further details, including the specific package versions that mitigate these vulnerablities and instructions for optionally disabling SMT, please consult this article within the Ubuntu Security Knowledge Base.

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical’s Privacy Policy.

Related posts

JetPack 4 EOL – how to keep your userspace secure during migration

NVIDIA JetPack 4 reached its end-of-life (EOL) in November 2024, marking the end of security updates for this widely deployed stack. JetPack 4 has driven...

Update Livepatch Client for the newest kernel module signing certificate

The kernel engineering team at Canonical has generated a new module signing certificate on May 16, 2025, and it is embedded in all Ubuntu kernels published...

How is Livepatch safeguarded against bad actors?

What safeguards the Livepatch security patching solution against bad actors and malicious code masquerading as an update? Learn about Secure Boot and module signing.