Buyers of Intel processors have filed a class action lawsuit alleging that Intel knowingly sold billions of processors despite knowing about the downfall vulnerability (INTEL-SA-00828). This vulnerability is exploited by the AVX2 and AVX-512 instructions through an attack that Intel calls Gather Data Sampling (GDS). The plaintiffs allege that Intel knew about this vulnerability and a patch that corrected this architectural flaw since 2018 “Processors slowed beyond recognition.”
Information about the upcoming lawsuit first appeared in August 2023. The downfall vulnerability affected Intel processors from the 6th (Skylake) to 11th (Rocket Lake) generations, including Xeon chips based on the same architectures – the total number of which can actually run into the billions. The manufacturer admitted that for some workloads, the performance drop after installing a patch that closes the vulnerability can be up to 50%. A series of tests carried out shortly after the sinking was revealed showed a loss of up to 39% in performance. The hardest hit were applications that relied heavily on the AVX2 and AVX-512 instruction sets.
The year 2018, when the Downfall vulnerability was discovered, was full of news about hardware security problems in computers – the Specter and Meltdown vulnerabilities were in the headlines of the trade press. For the first time, exploits targeting the speculative execution process that many modern processors use to speed up calculations have been made available to the public.
Due to the publicity surrounding Specter and Meltdown, some security researchers have begun to consider similar attack vectors. In June 2018, Alexander Yee reported “a new variant of the Specter exploit for Intel processors with AVX and AVX512 instructions”. This information remained strictly confidential for two months and gave Intel the opportunity to take action to correct the situation.
In fact, according to the lawsuit, Yee wasn’t the only one who warned Intel about AVX vulnerabilities. That is the plaintiffs’ main argument “In the summer of 2018, as Intel grappled with the fallout from Specter and Meltdown and promised hardware fixes for future generations of processors, the company received two separate third-party vulnerability reports that mentioned a number of vulnerabilities in instructions AVX for Intel processors”. The plaintiffs emphasize that Intel admitted to reading these reports.
The main complaint in the statement of claim, filed in U.S. District Court in San Jose, is not about the existence of the downfall vulnerability itself or the decline in performance as a result of the patch’s fix, but rather the fact that Intel since 2018 “sits with crossed arms”, as the plaintiffs claim. According to them, Intel has deliberately sold billions of processors since 2018 “Malfunction”. This has left buyers with two unacceptable options: either leave their computer vulnerable or install a patch that protects them “Destroys CPU performance”. That’s why the plaintiffs are calling for Intel “just compensation.”