Researchers from the Vrije Universiteit Amsterdam they made known, through a blog post, to "Training Solo, a new family of Spectre-v2 attacks that exploit flaws in speculative prediction to break the security boundaries between privileged and unprivileged execution spaces, directly affecting Intel CPUs.
The new techniques allow sensitive content to be extracted from the kernel or the hypervisor at speeds of up to 17 KB per second, even on systems that implement modern mitigations such as IBPB, eIBRS, or BHI_NO.
Training Solo, the new face of Spectre-v2 re-emerges with force
Since its discovery, Spectre-v2 has been one of the most difficult classes of vulnerabilities to mitigate due to its speculative nature and "Training Solo», again a crucial problem is introduced, since it does not require any attacker-controlled code to influence the branch predictor, but instead relies on existing code fragments (gadgets) within the kernel or hypervisor to train the predictor from user space.
Our work demonstrates that attackers can speculatively hijack control flow within the same domain (e.g., the kernel) and leak secrets across privilege boundaries, reviving classic Spectre-v2 scenarios without relying on powerful sandboxes like eBPF. We created a new test suite to analyze the branch predictor in a self-training scenario.
Los investigadores have shown that by manipulating these gadgets (e.g., leveraging cBPF-based SECCOMP filters) speculative execution can be induced that leaks data from the privileged system.
Through this technique, called "individual training", the predictor's history can be altered of forks so that incorrect jumps occur during speculative execution, with the goal of leaking memory content through side effects in the cache.
The Training Solo attacks come in three variants, each taking advantage of different weaknesses:
- Manipulating branch history with kernel gadgets: Exploits system calls such as SECCOMP, where filters can induce spurious speculative branches, leaking memory at rates of 1,7 KB/s on Intel Tiger Lake and Lion Cove CPUs.
- Instruction pointer (IP) collisions in the branch prediction buffer (BTB): Here, two different indirect branches can influence each other if their addresses collide in the buffer, allowing speculative destinations to be mispredicted.
- Influences between direct and indirect branches: This technique, based on two specific vulnerabilities (CVE-2024-28956 (ITS) and CVE-2025-24495), exploits how direct branches can influence the prediction of indirect branches. Using this approach, the root password hash was recovered after running passwd -s in just 60 seconds.
Our work focuses on breaking domain isolation by design through self-training attacks. However, the hardware issues detected in our test set also affect the implementation of isolation, as it was assumed that direct branches would not be used for training indirect branches.
Impact and scope of new vulnerabilities
The attacks affect a wide range of Intel CPUs, including popular lines such as Coffee Lake, Tiger Lake, Ice Lake, and Rocket Lake, as well as 2nd and 3rd generation Xeon servers. Additionally, the Lunar Lake and Arrow Lake architectures are also vulnerable under CVE-2025-24495.
To mitigate these attacks, Intel has released a microcode update which introduces a new instruction: IBHF (Indirect Branch History Fence), designed to prevent branch history pollution. This change must be explicitly implemented after any code that affects the branch predictor. For older CPUs, software solutions that manually clean up history have been recommended.
For their part, the kernel developers of Linux has already begun to integrate patches to counteract these techniques, including measures that relocate indirect jumps out of sensitive cache areas and protection against cBPF.
AMD, for its part, has confirmed that These techniques do not affect your processorsARM indicated that only its older chips, without support for the FEAT_CSV2_3 and FEAT_CLRBHB extensions, would be exposed.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.