Google and Intel have released the results (PDF) of a joint security audit of Intel TDX 1.5 (Trusted Domain Extensions). Intel TDX technology enables virtual machine memory encryption to protect them from tampering and analysis by host system administrators and physical attacks on the hardware. The audit identified six vulnerabilities and 35 non-security-related errors.
The issues affect Intel Xeon 6 CPUs, as well as 4th and 5th generation Intel Xeon Scalable processors. The vulnerabilities were fixed in yesterday's microcode update. A toolkit for exploiting the vulnerabilities in Intel TDX and prototype exploits for two vulnerabilities (CVE-2025-30513 and CVE-2025-32007) have been published on GitHub.
The most severe vulnerability (CVE-2025-30513) allows an untrusted administrator with access to the host system to escalate their privileges and completely compromise the security guarantees provided by Intel TDX technology. The vulnerability is caused by a race condition in one of the TDX modules, which allows the protected environment (TD - Trusted Domain) to be transitioned from a migration-capable state to a debug mode-capable state during virtual machine migration.
The issue is caused by the ability to spoof environment attributes after they've been verified but before they're set to an immutable state in the migrated environment. After setting the debug attribute, the host system administrator can monitor the protected guest system's activity in real time and access the decrypted memory state.
The vulnerability is relatively easy to exploit, as an administrator can initiate a live migration of a protected virtual machine at any time. The issue was discovered by Google researchers, who, while examining the API, noticed a discrepancy between how the FSM (Finite State Machine) tracks the state of operations, handles import interruptions, and modifies, but does not restore, the state of the protected environment after a failure.
Less dangerous vulnerabilities:
- CVE-2025-32007 - An integer overflow in the metadata parsing code leads to a leak of 8 KB of decrypted data from the stack of the current logical processor (LP) during a live migration.
- CVE-2025-32467 - Use of uninitialized variables in some TDX modules may lead to residual information leakage.
- CVE-2025-27572 - Sensitive data leakage during speculative instruction execution may lead to information leakage.
- CVE-2025-27940 - An out-of-bounds read may lead to information leakage.
- CVE-2025-31944 β A race condition could lead to denial of service.
Source: opennet.ru
