Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

An error occurred while submitting your form. Please try again or file a bug report. Close

  1. Blog
  2. Article

Alex Murray
on 12 November 2019

Ubuntu updates to mitigate latest Intel hardware vulnerabilities

Intel Security

Today, Intel announced a group of new vulnerabilities affecting various Intel CPUs and associated GPUs, known as TSX Asynchronous Abort (CVE-2019-11135), Intel® Processor Machine Check Error (CVE-2018-12207), and two Intel i915 graphics hardware  vulnerabilities (CVE-2019-0155, CVE-2019-0154).

TSX Asynchronous Abort (TAA) is related to the previously announced MDS vulnerabilities but only affects Intel processors that support Intel® Transactional Synchronization Extensions (TSX). Due to the similarity between this issue and MDS, the mitigations for MDS are sufficient to also mitigate TAA. As such, processors which were previously affected by MDS and which have the MDS microarchitectural buffer clearing mitigations employed are not affected by TAA. For newer processors which were not affected by MDS, but which support Intel® TSX, TAA is mitigated in Ubuntu by a combination of an updated Linux kernel and Intel microcode packages which disable Intel® TSX. Where TSX is required, this can be re-enabled via a kernel command-line option (tsx=on) and in this case, the kernel will automatically employ microarchitectural buffer clearing mechanisms as used for MDS to mitigate TAA.

Intel® Processor Machine Check Error (MCEPSC, also called iTLB multihit) is a vulnerability specific to virtualisation, where a virtual machine can cause a denial of service (system hang) to the host processor when hugepages are employed. This is mitigated in Ubuntu with an updated Linux kernel.

The first of the two Intel i915 graphics processor vulnerabilities (CVE-2019-0155) allow an unprivileged user to elevate their privileges on the system and expose sensitive information from the kernel. The second vulnerability (CVE-2019-0154) allows an unprivileged user to cause a denial of service (system hang) by reading from particular memory regions when in certain low power states.  Mitigations for these two issues in Ubuntu are provided through a combination of firmware and kernel driver updates for these GPUs.

For further details, including the specific package versions which mitigate these vulnerabilities for each Ubuntu release, please consult this article within the Ubuntu Security Knowledge Base.

Related posts

Carlos Bravo
28 August 2025

Ubuntu Pro Minimal 22.04 LTS with CIS hardening is now generally available on AWS

Canonical announcements Article

August 28, 2025 – We are excited to announce the general availability of Ubuntu Pro Minimal 22.04 LTS with CIS hardening, a new variant of Ubuntu designed for organizations that require tight security controls, minimal attack surface, and out-of-the-box compliance. This new offering combines the efficiency of Minimal Ubuntu with the enter ...

Nicholas Morris
26 August 2025

Generating allow-lists with DNS monitoring on LXD

DevOps Article

Allow-listing web traffic – blocking all web traffic that has not been pre-approved – is a common practice in highly sensitive environments. It is also a challenge for developers and system administrators working in those environments. In this blog, we’ll cover an easy way to mitigate this challenge by using LXD to generate allow-lists.  ...

Jehudi
22 August 2025

A complete security view for every Ubuntu LTS VM on Azure

Compliance Article

Azure’s Update Manager now shows missing Ubuntu Pro updates for all Ubuntu Long-Term Support (LTS) releases: 18.04, 20.04, 22.04 and 24.04. The feature was first introduced for only 18.04 during its move to Expanded Security Maintenance. With this addition, Azure highlights where Ubuntu LTS instances would benefit from Expanded Security M ...