{"@ID": "1423", "@Name": "Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "Shared microarchitectural predictor state may allow code to influence\n\t\t\t\ttransient execution across a hardware boundary, potentially exposing\n\t\t\t\tdata that is accessible beyond the boundary over a covert channel.", "Extended_Description": {"xhtml:p": ["Many commodity processors have Instruction Set Architecture (ISA)\n\t\t\t\tfeatures that protect software components from one another. These\n\t\t\t\tfeatures can include memory segmentation, virtual memory, privilege\n\t\t\t\trings, trusted execution environments, and virtual machines, among\n\t\t\t\tothers. For example, virtual memory provides each process with its own\n\t\t\t\taddress space, which prevents processes from accessing each other's\n\t\t\t\tprivate data. Many of these features can be used to form\n\t\t\t\thardware-enforced security boundaries between software components.", "When separate software components (for example, two processes) share\n\t\t\t\tmicroarchitectural predictor state across a hardware boundary, code in\n\t\t\t\tone component may be able to influence microarchitectural predictor\n\t\t\t\tbehavior in another component. If the predictor can cause transient\n\t\t\t\texecution, the shared predictor state may allow an attacker to\n\t\t\t\tinfluence transient execution in a victim, and in a manner that could\n\t\t\t\tallow the attacker to infer private data from the victim by monitoring\n\t\t\t\tobservable discrepancies (CWE-203) in a covert channel [REF-1400].", "Predictor state may be shared when the processor transitions from one\n\t\t\t\tcomponent to another (for example, when a process makes a system call\n\t\t\t\tto enter the kernel). Many commodity processors have features which\n\t\t\t\tprevent microarchitectural predictions that occur before a boundary\n\t\t\t\tfrom influencing predictions that occur after the boundary.", "Predictor state may also be shared between hardware threads, for\n\t\t\t\texample, sibling hardware threads on a processor that supports\n\t\t\t\tsimultaneous multithreading (SMT). This sharing may be benign if the\n\t\t\t\thardware threads are simultaneously executing in the same software\n\t\t\t\tcomponent, or it could expose a weakness if one sibling is a malicious\n\t\t\t\tsoftware component, and the other sibling is a victim software\n\t\t\t\tcomponent. Processors that share microarchitectural predictors between\n\t\t\t\thardware threads may have features which prevent microarchitectural\n\t\t\t\tpredictions that occur on one hardware thread from influencing\n\t\t\t\tpredictions that occur on another hardware thread.", "Features that restrict predictor state sharing across transitions or\n\t\t\t\tbetween hardware threads may be always-on, on by default, or may\n\t\t\t\trequire opt-in from software."]}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1420", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "1420", "@View_ID": "1194", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Architecture": {"@Class": "Not Architecture-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Name": "Microcontroller Hardware", "@Prevalence": "Undetermined"}, {"@Name": "Processor Hardware", "@Prevalence": "Undetermined"}, {"@Name": "Memory Hardware", "@Prevalence": "Undetermined"}, {"@Class": "System on Chip", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design", "Note": {"xhtml:p": "This weakness can be introduced during hardware architecture and\n\t\t\t\t\tdesign if predictor state is not properly isolated between modes (for\n\t\t\t\t\texample, user mode and kernel mode), if predictor state is not\n\t\t\t\t\tisolated between hardware threads, or if it is not isolated between\n\t\t\t\t\tother kinds of execution contexts supported by the processor."}}, {"Phase": "Implementation", "Note": {"xhtml:p": "This weakness can be introduced during system software\n\t\t\t\t\timplementation if predictor-state-sanitizing operations (for example,\n\t\t\t\t\tthe indirect branch prediction barrier on Intel x86) are not invoked\n\t\t\t\t\twhen switching from one context to another."}}, {"Phase": "System Configuration", "Note": {"xhtml:p": "This weakness can be introduced if the system has not been\n\t\t\t\t\tconfigured according to the hardware vendor's recommendations for\n\t\t\t\t\tmitigating the weakness."}}]}, "Common_Consequences": {"Consequence": {"Scope": "Confidentiality", "Impact": "Read Memory", "Likelihood": "Medium"}}, "Detection_Methods": {"Detection_Method": [{"Method": "Manual Analysis", "Description": {"xhtml:p": "This weakness can be detected in hardware by manually\n\t\t\t\t\tinspecting processor specifications. Features that exhibit this\n\t\t\t\t\tweakness may have microarchitectural predictor state that is shared\n\t\t\t\t\tbetween hardware threads, execution contexts (for example, user and\n\t\t\t\t\tkernel), or other components that may host mutually distrusting\n\t\t\t\t\tsoftware (or firmware, etc.)."}, "Effectiveness": "Moderate", "Effectiveness_Notes": "Manual analysis may not reveal all weaknesses in a processor specification and should be combined with other detection methods to improve coverage."}, {"Method": "Automated Analysis", "Description": {"xhtml:p": ["Software vendors can release tools that detect presence of\n\t\t\t\t\tknown weaknesses on a processor. For example, some of these tools can\n\t\t\t\t\tattempt to transiently execute a vulnerable code sequence and detect\n\t\t\t\t\twhether code successfully leaks data in a manner consistent with the\n\t\t\t\t\tweakness under test. Alternatively, some hardware vendors provide\n\t\t\t\t\tenumeration for the presence of a weakness (or lack of a\n\t\t\t\t\tweakness). These enumeration bits can be checked and reported by\n\t\t\t\t\tsystem software. For example, Linux supports these checks for many\n\t\t\t\t\tcommodity processors:", "$ cat /proc/cpuinfo | grep bugs | head -n 1", "bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit srbds mmio_stale_data retbleed"]}, "Effectiveness": "High", "Effectiveness_Notes": "This method can be useful for detecting whether a processor if affected by known weaknesses, but it may not be useful for detecting unknown weaknesses"}, {"Method": "Automated Analysis", "Description": {"xhtml:p": "This weakness can be detected in hardware by employing static\n\t\t\t\t\tor dynamic taint analysis methods [REF-1401]. These methods can label\n\t\t\t\t\teach predictor entry (or prediction history, etc.) according to the\n\t\t\t\t\tprocessor context that created it. Taint analysis or information flow\n\t\t\t\t\tanalysis can then be applied to detect when predictor state created in\n\t\t\t\t\tone context can influence predictions made in another context."}, "Effectiveness": "Moderate", "Effectiveness_Notes": "Automated static or dynamic taint analysis may not reveal all weaknesses in a processor specification and should be combined with other detection methods to improve coverage."}]}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": {"xhtml:p": "The hardware designer can attempt to prevent transient\n\t\t\t\t\texecution from causing observable discrepancies in specific covert\n\t\t\t\t\tchannels."}}, {"Phase": "Architecture and Design", "Description": {"xhtml:p": "Hardware designers may choose to use microarchitectural\n\t\t\t\t\tbits to tag predictor entries. For example, each predictor entry may\n\t\t\t\t\tbe tagged with a kernel-mode bit which, when set, indicates that the\n\t\t\t\t\tpredictor entry was created in kernel mode. The processor can use this\n\t\t\t\t\tbit to enforce that predictions in the current mode must have been\n\t\t\t\t\ttrained in the current mode. This can prevent malicious cross-mode\n\t\t\t\t\ttraining, such as when user-mode software attempts to create predictor\n\t\t\t\t\tentries that influence transient execution in the kernel. Predictor\n\t\t\t\t\tentry tags can also be used to associate each predictor entry with the\n\t\t\t\t\tSMT thread that created it, and thus the processor can enforce that\n\t\t\t\t\teach predictor entry can only be used by the SMT thread that created\n\t\t\t\t\tit. This can prevent an SMT thread from using predictor entries\n\t\t\t\t\tcrafted by a malicious sibling SMT thread."}, "Effectiveness": "Moderate", "Effectiveness_Notes": {"xhtml:p": "Tagging can be highly effective for predictor\n\t\t\t\t\tstate that is comprised of discrete elements, such as an array of\n\t\t\t\t\trecently visited branch targets. Predictor state can also have\n\t\t\t\t\tdifferent representations that are not conducive to tagging. For\n\t\t\t\t\texample, some processors keep a compressed digest of branch history\n\t\t\t\t\twhich does not contain discrete elements that can be individually\n\t\t\t\t\ttagged."}}, {"Phase": "Architecture and Design", "Description": {"xhtml:p": "Hardware designers may choose to sanitize\n\t\t\t\t\tmicroarchitectural predictor state (for example, branch prediction\n\t\t\t\t\thistory) when the processor transitions to a different context, for\n\t\t\t\t\texample, whenever a system call is invoked. Alternatively, the\n\t\t\t\t\thardware may expose instruction(s) that allow software to sanitize\n\t\t\t\t\tpredictor state according to the user's threat model. For example,\n\t\t\t\t\tthis can allow operating system software to sanitize predictor state\n\t\t\t\t\twhen performing a context switch from one process to another."}, "Effectiveness": "Moderate", "Effectiveness_Notes": {"xhtml:p": "This technique may not be able to mitigate\n\t\t\t\t\tweaknesses that arise from predictor state that is shared across SMT\n\t\t\t\t\tthreads. Sanitizing predictor state on context switches may also\n\t\t\t\t\tnegatively impact performance, either by removing predictor entries\n\t\t\t\t\tthat could be reused when returning to the previous context, or by\n\t\t\t\t\tslowing down the context switch itself."}}, {"Phase": "Implementation", "Description": {"xhtml:p": "System software can mitigate this weakness by invoking\n\t\t\t\t\tpredictor-state-sanitizing operations (for example, the indirect\n\t\t\t\t\tbranch prediction barrier on Intel x86) when switching from one\n\t\t\t\t\tcontext to another, according to the hardware vendor's\n\t\t\t\t\trecommendations."}, "Effectiveness": "Moderate", "Effectiveness_Notes": {"xhtml:p": "This technique may not be able to mitigate\n\t\t\t\t\tweaknesses that arise from predictor state shared across SMT\n\t\t\t\t\tthreads. Sanitizing predictor state may also negatively impact\n\t\t\t\t\tperformance in some circumstances."}}, {"Phase": "Build and Compilation", "Description": {"xhtml:p": "If the weakness is exposed by a single instruction (or a\n\t\t\t\t\tsmall set of instructions), then the compiler (or JIT, etc.) can be\n\t\t\t\t\tconfigured to prevent the affected instruction(s) from being\n\t\t\t\t\tgenerated. One prominent example of this mitigation is retpoline\n\t\t\t\t\t([REF-1414])."}, "Effectiveness": "Limited", "Effectiveness_Notes": {"xhtml:p": "This technique is only effective for software\n\t\t\t\t\tthat is compiled with this mitigation. Additionally, an alternate\n\t\t\t\t\tinstruction sequence may mitigate the weakness on some processors but\n\t\t\t\t\tnot others, even when the processors share the same ISA. For example,\n\t\t\t\t\tretpoline has been documented as effective on some x86 processors, but\n\t\t\t\t\tnot fully effective on other x86 processors."}}, {"Phase": "Build and Compilation", "Description": {"xhtml:p": "Use control-flow integrity (CFI) techniques to constrain\n\t\t\t\t\tthe behavior of instructions that redirect the instruction pointer,\n\t\t\t\t\tsuch as indirect branch instructions."}, "Effectiveness": "Moderate", "Effectiveness_Notes": {"xhtml:p": "Some CFI techniques may not be able to constrain\n\t\t\t\t\ttransient execution, even though they are effective at constraining\n\t\t\t\t\tarchitectural execution. Or they may be able to provide some\n\t\t\t\t\tadditional protection against a transient execution weakness, but\n\t\t\t\t\twithout comprehensively mitigating the weakness. For example,\n\t\t\t\t\tClang-CFI provides strong architectural CFI properties and can make\n\t\t\t\t\tsome transient execution weaknesses more difficult to exploit [REF-1398]."}}, {"Phase": "Build and Compilation", "Description": {"xhtml:p": "Use software techniques (including the use of\n\t\t\t\t\tserialization instructions) that are intended to reduce the number of\n\t\t\t\t\tinstructions that can be executed transiently after a processor event\n\t\t\t\t\tor misprediction."}, "Effectiveness": "Incidental", "Effectiveness_Notes": {"xhtml:p": "Some transient execution weaknesses can be\n\t\t\t\t\texploited even if a single instruction is executed transiently after a\n\t\t\t\t\tprocessor event or mis-prediction. This mitigation strategy has many\n\t\t\t\t\tother pitfalls that prevent it from eliminating this weakness\n\t\t\t\t\tentirely. For example, see [REF-1389]."}}, {"Phase": "System Configuration", "Description": {"xhtml:p": "Some systems may allow the user to disable predictor\n\t\t\t\t\tsharing. For example, this could be a BIOS configuration, or a\n\t\t\t\t\tmodel-specific register (MSR) that can be configured by the operating\n\t\t\t\t\tsystem or virtual machine monitor."}, "Effectiveness": "Moderate", "Effectiveness_Notes": {"xhtml:p": "Disabling predictor sharing can negatively impact\n\t\t\t\t\tperformance for some workloads that benefit from shared predictor\n\t\t\t\t\tstate."}}, {"Phase": "Patching and Maintenance", "Description": {"xhtml:p": "The hardware vendor may provide a patch to, for example,\n\t\t\t\t\tsanitize predictor state when the processor transitions to a different\n\t\t\t\t\tcontext, or to prevent predictor entries from being shared across SMT\n\t\t\t\t\tthreads. A patch may also introduce new ISA that allows software to\n\t\t\t\t\ttoggle a mitigation."}, "Effectiveness": "Moderate", "Effectiveness_Notes": {"xhtml:p": "This mitigation may only be fully effective if\n\t\t\t\t\tthe patch prevents predictor sharing across all contexts that are\n\t\t\t\t\taffected by the weakness. Additionally, sanitizing predictor state\n\t\t\t\t\tand/or preventing shared predictor state can negatively impact\n\t\t\t\t\tperformance in some circumstances."}}, {"Phase": "Documentation", "Description": {"xhtml:p": "If a hardware feature can allow microarchitectural\n\t\t\t\t\tpredictor state to be shared between contexts, SMT threads, or other\n\t\t\t\t\tarchitecturally defined boundaries, the hardware designer may opt to\n\t\t\t\t\tdisclose this behavior in architecture documentation. This\n\t\t\t\t\tdocumentation can inform users about potential consequences and\n\t\t\t\t\teffective mitigations."}, "Effectiveness": "High"}, {"Phase": "Requirements", "Description": {"xhtml:p": "Processor designers, system software vendors, or other\n\t\t\t\t\tagents may choose to restrict the ability of unprivileged software to\n\t\t\t\t\taccess to high-resolution timers that are commonly used to monitor\n\t\t\t\t\tcovert channels."}}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"Intro_Text": {"xhtml:p": "Branch Target Injection (BTI) is a vulnerability that can allow an SMT\n\t\t\t\t\thardware thread to maliciously train the indirect branch predictor\n\t\t\t\t\tstate that is shared with its sibling hardware thread. A cross-thread\n\t\t\t\t\tBTI attack requires the attacker to find a vulnerable code sequence\n\t\t\t\t\twithin the victim software. For example, the authors of [REF-1415]\n\t\t\t\t\tidentified the following code sequence in the Windows library\n\t\t\t\t\tntdll.dll:"}, "Example_Code": {"@Nature": "Bad", "@Language": "x86 Assembly", "xhtml:br": [null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "#text": "adc edi,dword ptr [ebx+edx+13BE13BDh]\n\t\t\t\t\t\tadc dl,byte ptr [edi]\n\t\t\t\t\t\t..."}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "jmp dword ptr [rsi]   # at this point attacker knows edx, controls edi and ebx"}], "#text": "indirect_branch_site:"}, "Body_Text": {"xhtml:p": ["To successfully exploit this code sequence to disclose the victim's\n\t\t\t\t\tprivate data, the attacker must also be able to find an indirect\n\t\t\t\t\tbranch site within the victim, where the attacker controls the values\n\t\t\t\t\tin edi and ebx, and the attacker knows the value in edx as shown above\n\t\t\t\t\tat the indirect branch site.", "A proof-of-concept cross-thread BTI attack might proceed as follows:"], "xhtml:ol": {"xhtml:li": ["The attacker thread and victim thread must be co-scheduled on the same physical processor core.", "The attacker thread must train the shared branch predictor so that\n\t\t\t\t\twhen the victim thread reaches indirect_branch_site, the jmp\n\t\t\t\t\tinstruction will be predicted to target example_code_sequence instead\n\t\t\t\t\tof the correct architectural target. The training procedure may vary\n\t\t\t\t\tby processor, and the attacker may need to reverse-engineer the branch\n\t\t\t\t\tpredictor to identify a suitable training algorithm.", {"xhtml:ul": {"xhtml:li": "0x13BE13BD - edx, then the first adc will load 32 bits from\n\t\t\t\t\t\t\taddress m in the victim's address space and add *m (the data loaded from)\n\t\t\t\t\t\t\tto the attacker-controlled base address in edi. The second\n\t\t\t\t\t\t\tadc instruction accesses a location in memory whose address corresponds\n\t\t\t\t\t\t\tto *m`."}, "#text": "This step assumes that the attacker can control some values in the\n\t\t\t\t\tvictim program, specifically the values in edi and ebx at\n\t\t\t\t\tindirect_branch_site. When the victim reaches indirect_branch_site the\n\t\t\t\t\tprocessor will (mis)predict example_code_sequence as the target and\n\t\t\t\t\t(transiently) execute the adc instructions. If the attacker chooses\n\t\t\t\t\tebx so that `ebx = m"}, "The adversary uses a covert channel analysis technique such as\n\t\t\t\t\tFlush+Reload ([REF-1416]) to infer the value of the victim's private data\n\t\t\t\t\t*m."]}}}, {"Intro_Text": {"xhtml:p": "BTI can also allow software in one execution context to maliciously\n\t\t\t\t\ttrain branch predictor entries that can be used in another\n\t\t\t\t\tcontext. For example, on some processors user-mode software may be\n\t\t\t\t\table to train predictor entries that can also be used after\n\t\t\t\t\ttransitioning into kernel mode, such as after invoking a system\n\t\t\t\t\tcall. This vulnerability does not necessarily require SMT and may\n\t\t\t\t\tinstead be performed in synchronous steps, though it does require the\n\t\t\t\t\tattacker to find an exploitable code sequence in the victim's code,\n\t\t\t\t\tfor example, in the kernel."}}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2017-5754", "Description": "(Branch Target Injection, BTI, Spectre v2). Shared\n\t\t\t\t\tmicroarchitectural indirect branch predictor state may allow code to\n\t\t\t\t\tinfluence transient execution across a process, VM, or privilege\n\t\t\t\t\tboundary, potentially exposing data that is accessible beyond the\n\t\t\t\t\tboundary.", "Link": "https://www.cve.org/CVERecord?id=CVE-2017-5754"}, {"Reference": "CVE-2022-0001", "Description": "(Branch History Injection, BHI, Spectre-BHB). Shared\n\t\t\t\t\tbranch history state may allow user-mode code to influence transient\n\t\t\t\t\texecution in the kernel, potentially exposing kernel data over a\n\t\t\t\t\tcovert channel.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-0001"}, {"Reference": "CVE-2021-33149", "Description": "(RSB underflow, Retbleed). Shared return stack buffer\n\t\t\t\t\tstate may allow code that executes before a prediction barrier to\n\t\t\t\t\tinfluence transient execution after the prediction barrier,\n\t\t\t\t\tpotentially exposing data that is accessible beyond the barrier over a\n\t\t\t\t\tcovert channel.", "Link": "https://www.cve.org/CVERecord?id=CVE-2021-33149"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-1414"}, {"@External_Reference_ID": "REF-1415"}, {"@External_Reference_ID": "REF-1416"}, {"@External_Reference_ID": "REF-1398"}, {"@External_Reference_ID": "REF-1389"}, {"@External_Reference_ID": "REF-1400"}, {"@External_Reference_ID": "REF-1401"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities", "Comments": "Use only when the weakness allows code in one processor context to influence the predictions of code in another processor context via predictor state that is shared between the two contexts. For example, Branch Target Injection, an instance of CWE-1423, can be mitigated by tagging each indirect branch predictor entry according to the processor context in which the entry was created, thus preventing entries created in one context from being used in a different context. However, the mitigated indirect branch predictor can still expose different weaknesses where malicious predictor entries created in one context are used later in the same context (context tags cannot prevent this). One such example is Intra-mode Branch Target Injection. Weaknesses of this sort can map to CWE-1420.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}, "Suggestions": {"Suggestion": {"@CWE_ID": "1420", "@Comment": "If a weakness involves a microarchitectural predictor whose state is not shared across processor contexts, then CWE-1420 may be more appropriate for the mapping task."}}}, "Content_History": {"Submission": {"Submission_Name": "Scott D. Constable", "Submission_Organization": "Intel Corporation", "Submission_Date": "2023-09-19", "Submission_Version": "4.14", "Submission_ReleaseDate": "2024-02-29"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Contribution": [{"@Type": "Content", "Contribution_Name": "David Kaplan", "Contribution_Organization": "AMD", "Contribution_Date": "2024-01-22", "Contribution_Version": "4.14", "Contribution_ReleaseDate": "2024-02-29", "Contribution_Comment": "Member of Microarchitectural Weaknesses Working Group"}, {"@Type": "Content", "Contribution_Name": "Rafael Dossantos, Abraham Fernandez Rubio, Alric Althoff, Lyndon Fawcett", "Contribution_Organization": "Arm", "Contribution_Date": "2024-01-22", "Contribution_Version": "4.14", "Contribution_ReleaseDate": "2024-02-29", "Contribution_Comment": "Members of Microarchitectural Weaknesses Working Group"}, {"@Type": "Content", "Contribution_Name": "Jason Oberg", "Contribution_Organization": "Cycuity", "Contribution_Date": "2024-01-22", "Contribution_Version": "4.14", "Contribution_ReleaseDate": "2024-02-29", "Contribution_Comment": "Member of Microarchitectural Weaknesses Working Group"}, {"@Type": "Content", "Contribution_Name": "Priya B. Iyer", "Contribution_Organization": "Intel Corporation", "Contribution_Date": "2024-01-22", "Contribution_Version": "4.14", "Contribution_ReleaseDate": "2024-02-29", "Contribution_Comment": "Member of Microarchitectural Weaknesses Working Group"}, {"@Type": "Content", "Contribution_Name": "Nicole Fern", "Contribution_Organization": "Riscure", "Contribution_Date": "2024-01-22", "Contribution_Version": "4.14", "Contribution_ReleaseDate": "2024-02-29", "Contribution_Comment": "Member of Microarchitectural Weaknesses Working Group"}]}}
