Microsoft Security Response Center

**According to the CVSS metric, user interaction is required (UI:R) and privileges required are none (PR:N). What does that mean for this vulnerability?** An unauthorized attacker must wait for a user to initiate a connection.

**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

**According to the CVSS metric, user interaction is required (UI:R) and privileges required are none (PR:N). What does that mean for this vulnerability?** An unauthorized attacker must wait for a user to initiate a connection.

**According to the CVSS metric, the attack vector is physical (AV:P). What does that mean for this vulnerability?** An unauthenticated attacker needs to physically connect a specially crafted USB device to exploit this vulnerability.

**According to the CVSS metric, the attack vector is physical (AV:P). What does that mean for this vulnerability?** An unauthenticated attacker needs to physically connect a specially crafted USB device to exploit this vulnerability.

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could bypass Secure Boot.

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could bypass Secure Boot.

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could gain specific limited administrator privileges.

**Why is this Intel CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in certain processor models offered by Intel and was initially disclosed March 8, 2022. Intel published updates April 9, 2024 and this CVE is being documented in the Security Update Guide to inform customers of the available mitigation and its potential performance impact. The mitigation for this vulnerability is **disabled by default** and manual action is required for customers to be protected. The following documentation was updated by Intel on April 9, 2024 and can be referenced for more information: * CVE-2022-0001 * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html **What steps are required to protect my system against the ...