Christina Schimpe

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue is related to the x86 shadow stack support in the Linux kernel. The shadow stack has its own set of registers, which are XSAVE-managed but not accessible from the existing ptrace ABI for XSAVE state. A new ptrace get/set interface was introduced for this purpose. However, the regset code used by ptrace did not properly check if the shadow stack was active before accessing its registers, leading to a potential warning and instability. The `ssp get` function can be called with shadow stacks disabled, triggering a warning. The estimated number of potentially affected devices is not provided. Technical details about exploitation include: - The `ssp get` function is vulnerable. - The `XFEATURE CET USER` register is involved. - The `get xsave addr` function can return NULL and trigger a WARN ON. - The `ssp set` function has an `ssp active` check to avoid surprising the kernel with shadow stack behavior. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.74 or later. As a temporary workaround, consider restricting access to the `ssp get` function until a patch is available. Avoid using the `XFEATURE CET USER` register in the affected API endpoints until the issue is resolved.