Intel knew about the Downfall CPU vulnerability but did nothing for five years, a new class action claims

WTF?! Downfall is the most recent of a long series of security vulnerabilities discovered in Intel processors during the past few years. According to a new class action, Chipzilla was well aware of the flaw's existence but chose to keep it a secret by selling vulnerable products.

A class action filed in a US federal court in San Jose, California, states that Intel was informed about the Downfall vulnerability in 2018, but the company didn't fix the issue in its processors and the flaw was independently rediscovered in 2023. Intel left customers with vulnerable CPUs, which later turned into crippled products because of performance-killing mitigations.

Also known as Gather Data Sampling (GDS), Downfall (CVE-2022-40982) is a security flaw affecting the 6th through 11th generations of consumer chips and the 1st through 4th generations of Xeon Intel x86-64 CPUs. The transient execution flaw affects Advanced Vector Extensions (AVX) instructions present in modern Intel CPUs, and it can be exploited to reveal the content of vector registers.

Billions of Intel CPUs used in personal and cloud computers can be forced to reveal secret user data, Google researchers who discovered the flaw explained. The "Gather" AVX CPU instruction leaks the content of the internal vector register file during speculative execution, and a malicious actor could exploit the flaw to steal passwords, encryption keys, banking details, and more.

According to the five plaintiffs promoting the new class action, Intel was informed about Downfall by two separate reports in 2018. The company was busy dealing with the Spectre and Meltdown flaws in its CPU architecture at the time, and seemingly decided to overlook the Downfall vulnerability in the AVX instructions. Furthermore, microcore updates later released by Intel can slow CPU performance by as much as 50% for certain "ordinary computing tasks," the lawsuit claims.

Owners of modern(ish) Intel CPUs are now left with defective products that are either "egregiously vulnerable" to attacks or must be slowed down "beyond recognition" to fix the Downfall flaw, the class action states. They are not the CPUs the plaintiffs purchased, as they perform "quite differently" and are worth much less.

Intel didn't fix Downfall for three more generations of its x86 chips, and now customers that use software for photo and video editing, gaming, and encryption must unfairly pay for the company's negligence. Even worse, the class action claims that Intel has implemented some "secret buffers" related to the AVX flawed instructions, but it didn't publicly disclose their existence.

Coupled with the Downfall vulnerability, these secret buffers acted as a backdoor in Intel's CPUs. An attacker could have exploited the design flaw to obtain sensitive information stored in RAM. In 2018, Intel publicly stated that it implemented hardware fixes for Meltdown and Spectre, but the company was aware of the fact that the AVX instructions allowed a similar side-channel attack. So far, Intel has declined to comment on the class action.