A new security vulnerability called LeftoverLocals affects GPUs made by some of the leading names, like AMD, Apple, and Qualcomm. It enables data theft from the GPU's memory irrespective of the form factor and operating system. The flaw was discovered by the researchers at 'Trail of Bits.' Since these GPUs are used in a wide range of smartphones, tablets, notebooks, PCs, and purpose-built servers, the vulnerability leaves a wide range of computing devices at risk.
PCs and servers are designed to allow multiple users to share system processing resources without being able to access each other's data. However, the LeftoverLocals vulnerability negates that protection and infiltrates other users' data via the GPU's memory. Once the attacker has access to the device with a vulnerable GPU, the attacker can access its memory and read its data, as it contains residual data even after a particular execution is complete.
Acknowledgement by GPU Vendors
AMD, Apple, and Qualcomm have now acknowledged the issue. Apple made a patch available for the affected Apple A17 and M3 series processors on January 10. However, Apple hasn't clarified the situation with other impacted devices yet, like the Apple MacBook Air 3rd Generation with its A12 processor. Qualcomm also rolled out a new firmware (v2.07) to patch some of its devices.
AMD posted a security bulletin marking the severity of the issue as 'medium.' The chipmaker listed all the affected CPUs with on-chip graphics, discrete graphics cards, and data center GPUs. AMD says it plans to create a new mode that prevents processes from running in parallel on the GPU's memory and clears the VRAM between processes. This mitigation process won't arrive until March 2024.
