Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

An error occurred while submitting your form. Please try again or file a bug report. Close

  1. Blog
  2. Article

Alex Murray
on 14 May 2019

Ubuntu updates to mitigate new Microarchitectural Data Sampling (MDS) vulnerabilities

14.04 16.04 18.04 ESM Extended Security Maintenance Intel mds Security Trusty Tahr

Microarchitectural Data Sampling (MDS) describes a group of vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) in various Intel microprocessors, which allow a malicious process to read various information from another process which is executing on the same CPU core. This occurs due to the use of various microarchitectural elements (buffers) within the CPU core. If one process is able to speculatively sample data from these buffers, it can infer their contents and read data belonging to another process since these buffers are not cleared when switching between processes. This includes switching between two different userspace processes, switching between kernel and userspace and switching between the host and a guest when using virtualisation.

In the case of a single process being scheduled to a single CPU thread, it is relatively simple to mitigate this vulnerability by clearing these buffers when scheduling a new process onto the CPU thread. To achieve this, Intel have released an updated microcode which combined with changes to the Linux kernel ensure these buffers are appropriately cleared.

Updated versions of the intel-microcode, qemu and linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users. As these vulnerabilities affect such a large range of Intel processors (across laptop, desktop and server machines), a large percentage of Ubuntu users are expected to be impacted – users are encouraged to install these updated packages as soon as they become available.

The use of Symmetric Multi-Threading (SMT) – also known as Hyper-Threading – further complicates these issues since these buffers are shared between sibling Hyper-Threads. Therefore, the above changes are not sufficient to mitigate these vulnerabilities when SMT is enabled. As such, the use of SMT is not recommended when untrusted code or applications are being executed.

For further details, including the specific package versions that mitigate these vulnerablities and instructions for optionally disabling SMT, please consult this article within the Ubuntu Security Knowledge Base.

Related posts

Carlos Bravo
28 August 2025

Ubuntu Pro Minimal 22.04 LTS with CIS hardening is now generally available on AWS

Canonical announcements Article

August 28, 2025 – We are excited to announce the general availability of Ubuntu Pro Minimal 22.04 LTS with CIS hardening, a new variant of Ubuntu designed for organizations that require tight security controls, minimal attack surface, and out-of-the-box compliance. This new offering combines the efficiency of Minimal Ubuntu with the enter ...

Nicholas Morris
26 August 2025

Generating allow-lists with DNS monitoring on LXD

DevOps Article

Allow-listing web traffic – blocking all web traffic that has not been pre-approved – is a common practice in highly sensitive environments. It is also a challenge for developers and system administrators working in those environments. In this blog, we’ll cover an easy way to mitigate this challenge by using LXD to generate allow-lists.  ...

Jehudi
22 August 2025

A complete security view for every Ubuntu LTS VM on Azure

Compliance Article

Azure’s Update Manager now shows missing Ubuntu Pro updates for all Ubuntu Long-Term Support (LTS) releases: 18.04, 20.04, 22.04 and 24.04. The feature was first introduced for only 18.04 during its move to Expanded Security Maintenance. With this addition, Azure highlights where Ubuntu LTS instances would benefit from Expanded Security M ...