Red Hat Enterprise Linux 9 update for microcode_ctl
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2025-24495 CVE-2025-20012 CVE-2024-28956 |
| CWE-ID | CWE-909 CWE-696 CWE-399 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
microcode_ctl (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Missing initialization of resource
EUVDB-ID: #VU109169
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-24495
CWE-ID:
CWE-909 - Missing initialization of resource
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to incorrect initialization of resource in the branch prediction unit. A local user can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
microcode_ctl (Red Hat package): before 20220207-1.20250512.1.el9_0
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2025:10103
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Incorrect behavior order
EUVDB-ID: #VU109171
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-20012
CWE-ID:
CWE-696 - Incorrect Behavior Order
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain access to sensitive information on the system. The vulnerability exists due to incorrect behavior order. An attacker with physical access can disclose sensitive information on the target system.
MitigationInstall updates from vendor's website.
microcode_ctl (Red Hat package): before 20220207-1.20250512.1.el9_0
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2025:10103
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource management error
EUVDB-ID: #VU109000
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-28956
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest to escalate privileges on the system.
The vulnerability exists due to an error in the hardware support for prediction-domain isolation dubbed "Indirect Target Selection". A malicious guest can infer the contents of arbitrary host memory, including memory assigned to other guests.
MitigationInstall updates from vendor's website.
microcode_ctl (Red Hat package): before 20220207-1.20250512.1.el9_0
CPE2.3 External linkshttps://access.redhat.com/errata/RHSA-2025:10103
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
