Compromising Spectre v2 HW Mitigations By Exploiting BPRC (ETH Zurich)

Researchers at ETH Zurich published a paper on exploiting Branch Predictor Race Conditions (BPRC) to compromise Spectre v2 hardware mitigations in recent Intel CPUs. The study introduces Branch Privilege Injection (BPI), a new Spectre v2 primitive that allows injecting arbitrary branch predictions tagged with kernel privilege from user mode. This exploit can leak arbitrary kernel memory from up-to-date Linux systems across six generations of Intel CPUs. The BPI exploit operates at a speed of 5.6KiB/s on Intel Raptor Cove processors. The findings were presented at the USENIX Security Symposium in August 2025.