Linux 6.8.5 & Other Stable Kernel Updates Due To Native BHI Vulnerability

Due to yesterday's Native BHI vulnerability disclosure affecting all Intel processors with this variant of Branch History Injection (BHI) not requiring BPF to exploit, a slew of new Linux kernel stable releases are out today to back-port this security mitigation.

Native BHI is the newest CPU speculative execution vulnerability and a step more serious than the original Branch History Injection vulnerability disclosed in 2022 since it doesn't need unprivileged BPF access. Introduced to Linux 6.9 Git on Tuesday was the Spectre BHI mitigation for Intel processors for a software BHB clearing sequence and/or making use of updated Intel CPU microcode for handling the mitigation. Native BHI means that the branch history needs to be cleared for each system call entry and VM exit.

The updated Linux kernel code allows controlling the Native BHI behavior with the new spectre_bhi= boot option. See yesterday's article for more information on this latest Spectre headache.

While yesterday the code landed in Linux Git for the current v6.9 kernel development, out today are the Linux 6.8.5, 6.6.26, 6.1.85, and 5.15.154 stable kernels for back-porting the mitigation. So go forth and update to Linux 6.8.5 or otherwise the prior LTS kernel version updates if wanting to be protected against Native BHI on your Intel system(s). The fresh kernel code as always can be downloaded from kernel.org.

I'll be working on some benchmarks shortly for looking to see if there is any real-world performance implications from this latest CPU security mitigation.