Potential Risk of CVE, Under our observation

AMD ID: AMD-SB-7050: About Vector Value Injection in AMD CPUs, AMD believes that existing mitigation guidance for FPVI remains valid and covers VVI cases as well. What are your thoughts on this? (18th Mar 2026)

Leave a comment

Background: The researchers’ paper introduces Vector Value Injection (VVI), which could allow an attacker with a deep understanding of microarchitectural behavior to inject values into vector registers during transient execution. Although they noted similarities with Floating Point Value Injection (FPVI), they reported Vector Value Injection as a new issue due to its capability to be triggered without denormal values as inputs.

AMD believes that VVI falls within the existing scope of CVE-2021-26314 (FPVI) as existing descriptions of FPVI do not specifically require denormal inputs. Additionally, AMD believes that existing mitigation guidance for FPVI remains valid and covers VVI cases as well.

Ref: CVE-2021-26314 – Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage.

Official announcement: AMD ID: AMD-SB-7050 “Vector Value Injection in AMD CPUs”. Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7050.html

CVE-2021-26314 is a vulnerability from five years ago; however, in today’s parallel environment, the situation may be different!

How does Parallel Processing handle “Different Types”?

When tasks are different (e.g., one calculates Pi, one downloads a file, one reads a database), the system handles them in three ways:

1.         Heterogeneous Task Assignment (Asynchronous):

Instead of using a “map” (which does the same thing to many items), we use apply_async. This allows Core 1 to run a “Math” function while Core 2 runs a “Data Backup” function simultaneously.

2.         OS Scheduling & Context Switching:

The Operating System (OS) is the “manager.” If Task A is waiting for a slow Hard Drive (I/O Bound), the OS immediately moves Task B (CPU Bound) onto that core so no time is wasted.

3.         Hardware Resource Partitioning:

On a chip like the 9995WX, different execution units inside the core can work at once. One part of the core handles Integer math, while another handles Floating Point (AVX-512). This allows the processor to crunch different types of data within the same clock cycle

Vector Value Injection integrated to pool.apply_async (which runs different functions simultaneously) cannot be curcumvented through Register Scrubbing or Control-Flow Enforcement (CET). In fact, manually assigning different functions using `apply_async’ lowers the defense level potentially.

Why apply_async May Lower the Defense Level?

When you use pool.apply_async to launch different functions, Python’s multiprocessing creates multiple independent OS Processes.

•          Expanded Attack Surface: Compared to a single-process loop, a multi-process environment increases the frequency of Inter-Process Communication (IPC). If an attacker leverages Vector Value Injection, they can hunt for vulnerabilities in the different logic paths of each unique function.

•          Context Switching Risks: Frequent task scheduling can increase the risk of Cache Side-channel leaks. These leaks can sometimes bypass Register Scrubbing protection by capturing data before it is cleared.

End of article

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.