Microsoft has detailed a serious bug in Windows 11 and Windows Server 2022. Due to the issues outlined in Knowledge Base (KB) article KB5017259 (opens in new tab), its says users of its newest desktop operating systems could experience data damage. There appears to have been a flaw in the operation of a new data encryption hardware accelerator, supported by the newest processors from AMD and Intel, and used by apps like BitLocker. Thankfully, there is already a fix available for both preview and release versions of Windows 11 and Windows Server 2022.
Microsoft says the affected systems will fall foul of issues described in KB5017259 if they have a processor that supports the newest Vector Advanced Encryption Standard (AES) (VAES), and specifically either of the following extensions:
- AES XEX-based tweaked-codebook mode with ciphertext stealing (AES-XTS)
- AES with Galois/Counter Mode (GCM) (AES-GCM)
Checking around, we found that the following modern PC processors supported VAES; Intel Ice Lake, Tiger Lake and Rocket Lake, plus upcoming AMD Zen 4 architecture processors.
What seems to have happened is that Microsoft added new code paths to support hardware acceleration of its Symcrypt library on the newest processors from AMD and Intel, with support for features like AES-XTS and AES-GCM. However, implementation errors meant data written could contain errors, meaning data would be damaged / corrupted / lost.
Microsoft doesn’t mention what to do if you have already been hit by this data damage issue, but it does have fixes and workarounds ready. To prevent any (further) data damage, those using preview releases of the OS should grab the May 24 release, while users of regular Windows should grab the Jun 14 security update.
Microsoft admits its medicine has a bad taste. “After applying those updates, you might notice slower performance for almost one month after you install them on Windows Server 2022 and Windows 11 (original release),” says Microsoft in its bulletin. Apps / workloads using encryption will be most noticeably affected, so watch out for slowdowns in BitLocker, Transport Layer Security (TLS) (specifically load balancers), and disk throughput, especially for enterprise customers.
Those observing serious performance impacts, which may mean encryption runs at nearly half the speed as previously, can run some further updates. Preview users can grab the June 23 preview update, and regular Windows 11 and Windows Server 2022 users can install the July 12 security update.
If any readers have experienced data damage due to the above the implementation flaws, please share your experience in the comments.