CVE-2020-10767: 
Linux Kernel vulnerability analysis and mitigation

A flaw was discovered in the Linux kernel before version 5.8-rc1 in the implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The vulnerability, identified as CVE-2020-10767, was found when the IBPB mitigation would be disabled under specific conditions: when STIBP (Single Thread Indirect Branch Predictors) is not available or when Enhanced Indirect Branch Restricted Speculation (IBRS) is available (Ubuntu Security, Red Hat Bugzilla).

The vulnerability affects the Linux kernel's implementation of Spectre V2 mitigations. When STIBP is unavailable or enhanced IBRS is available, Linux force-disables the IBPB mitigation of Spectre-BTB even when simultaneous multithreading is disabled. While attempts to enable IBPB using prctl(PRSETSPECULATIONCTRL, PRSPECINDIRECTBRANCH, ...) fail with EPERM, the seccomp syscall succeeds with no errors but leaves the application silently vulnerable to cross-process Spectre v2 attacks. The vulnerability has a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (Red Hat Bugzilla).

This vulnerability allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality, as it enables exploitation of the previous Spectre v2 attack. The flaw particularly affects applications like Chromium or OpenSSH that use seccomp, leaving them vulnerable to cross-process Spectre v2 attacks (Kernel Commit).

The issue was fixed in Linux kernel version 5.8-rc1 through a patch that enables the prctl control of IBPB even when STIBP is unavailable or enhanced IBRS is available. Various Linux distributions have released security updates to address this vulnerability, including Red Hat Enterprise Linux 8 and Ubuntu (Red Hat Bugzilla, Ubuntu Security).