PatchSiren cyber security CVE debrief
CVE-2023-28746 Openwall CVE debrief
CVE-2023-28746 describes an information exposure issue on some Intel Atom processors where transient execution can leave sensitive data in microarchitectural state. An authenticated local user may be able to leverage that behavior to disclose information. The published CVSS score is 6.5 (MEDIUM), with local access and low privileges required.
- Vendor
- Openwall
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-03-14
- Original CVE updated
- 2026-05-12
- Advisory published
- 2024-03-14
- Advisory updated
- 2026-05-12
Who should care
Organizations running workloads on affected Intel Atom processors should review exposure, especially systems where authenticated local users are expected or where tenant separation depends on hardware isolation. This is also relevant to OS, virtualization, and platform teams that manage Intel CPU microcode and downstream security advisories.
Technical summary
The CVE description attributes the flaw to information exposure through microarchitectural state after transient execution from some register files on some Intel Atom processors. The NVD vector is AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating a local, low-privilege, confidentiality-focused issue with scope change. The supplied weakness mapping is CWE-1342. The record is currently marked Vulnerability Status: Deferred in NVD metadata.
Defensive priority
Medium. This is not an internet-facing remote code execution issue, but it can matter in multi-user or multi-tenant environments where local confidentiality boundaries are important.
Recommended defensive actions
- Identify Intel Atom-based systems in your fleet and verify whether they are in the affected processor set described by Intel’s advisory.
- Apply vendor and OS updates referenced by Intel, Debian LTS, and Fedora package notices as they become available for your platform.
- Ensure CPU microcode, firmware, and kernel updates are part of your normal patch process for Intel transient-execution mitigations.
- Review whether local authenticated users are trusted on affected systems; tighten local access and tenant separation where practical.
- Track downstream vendor advisories and confirm remediation status for your exact hardware and distribution combination.
Evidence notes
The core facts come from the CVE description and NVD metadata: affected systems are some Intel Atom processors, the issue is local information disclosure after transient execution, and the CVSS vector is AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. References in the supplied corpus include Intel advisory INTEL-SA-00898, the oss-security post on 2024-03-12, and downstream Debian/Fedora notices in May and June 2024. The source item marks NVD vulnStatus as Deferred. Vendor metadata in the supplied source item is low-confidence and should be treated cautiously.
Official resources
CVE published on 2024-03-14, with a prior public reference in the supplied corpus dated 2024-03-12 and downstream Linux distribution notices following in May and June 2024. The NVD record was later modified on 2026-05-12.