Five unhappy owners of Intel CPUs have just started a class action lawsuit against the company following the discovery that, allegedly, Intel knowingly sold processors affected by a dangerous vulnerability — and it has been doing this for years. The flaw in question is called Downfall, and while it doesn’t affect Intel’s best CPUs, it’s present in chips ranging from the 6th to the 11th generation of Intel processors.
Dating back to Skylake CPUs and still present in Rocket Lake chips, the Downfall vulnerability was first made public by security researcher Daniel Moghimi. This flaw targets the Gather Instruction process in Intel CPUs. Normally, this allows the CPU to quickly access various data in its memory, but unfortunately, this also means that any vulnerabilities within Gather Instruction grant the threat actor a lot of access to the affected PC. Be it through malware or by direct access, attackers could potentially steal a lot of sensitive data from affected chips.
Intel issued a patch to prevent the bug, but it came at a huge cost. As reported by Tom’s Hardware, downloading the patch slowed down AVX2 and AVX-512 workloads by up to 50%. This left users stuck in a lose-lose situation where they could either make themselves vulnerable to Downfall or patch the CPU and suffer from the performance loss. The plaintiffs disagree with this approach from Intel and are now demanding a jury trial at the U.S. District Court in San Jose.
First reported on by The Register, the class action suit has five plaintiffs who own one of the chips that are affected by Downfall. According to the suit, Intel was made aware of the vulnerability all the way back in 2018, when Intel was already dealing with other threats, namely Spectre and Meltdown. Third-party researchers prepared vulnerability reports about the yet-unnamed downfall back then, finding a flaw within the AVX instruction set in a similar manner to Spectre and Meltdown.
Alexander Yee, a hardware enthusiast, prepared a write-up about the flaw in 2018 and delayed publishing it until August 7, 2018, reportedly at Intel’s request. Due to this, the plaintiffs believe that Intel should have addressed Downfall in 2018 when it was first informed about the flaw instead of proceeding to sell the chips as-is.
“Despite promising a hardware redesign to mitigate speculative execution vulnerabilities during the exact time period researchers disclosed the vulnerabilities in Intel’s AVX instructions, Intel did nothing. It did not fix its then-current chips, and over three successive generations, Intel did not redesign its chips to ensure that AVX instructions would operate securely when the CPU speculatively executed them,” says the complaint.
The document also talks about the five affected plaintiffs, with one person in particular saying that she “would not have purchased her Intel CPUs at the price she paid had she known about the defect described in this Complaint.”
The complaint also outlines what the plaintiffs are after: “Intel’s affected CPUs — billions of them — are to this day defectively designed, and Intel has instituted no recall, implemented no repair program, and provided no plan to fix the underlying design defect. Plaintiffs seek damages and equitable relief.”
Intel has declined to comment on these allegations thus far. It’s hard to say where this can go, and with these CPUs being a few generations old by now, they’re hard to find in stores at this point. However, those who already own them still face a difficult choice: To update or not to update? Intel itself recommends updating, but if you often use your CPU to run AVX2 and AVX-512 workloads, you might experience severe drops in performance.