CVE-2023-4969 Overview
CVE-2023-4969, commonly referred to as "LeftoverLocals," is a memory leak vulnerability affecting GPU architectures across multiple vendors. A GPU kernel can read sensitive data from another GPU kernel—including data from different users or applications—through an optimized GPU memory region called local memory. This vulnerability exists across OpenCL, Vulkan, and various GPU hardware implementations, affecting both consumer and professional graphics cards as well as integrated graphics in modern processors.
Critical Impact
An authenticated local attacker can exploit improper memory clearing in GPU local memory to extract sensitive data processed by other users or applications on shared GPU resources, potentially exposing cryptographic keys, machine learning model weights, or other confidential information.
Affected Products
- Khronos OpenCL (all versions)
- Khronos Vulkan (all versions)
- Imagination Technologies DDK (all versions)
- AMD Instinct MI Series (MI100, MI210, MI250, MI300A, MI300X)
- AMD Radeon RX 5000/6000/7000 Series
- AMD Radeon Pro Series (W5500X, W5700X, W6300M, W6400, W6500M, W7500, W7600, V520, V620)
- AMD Ryzen 3000/4000/5000/6000/7000 Series APUs with integrated graphics
- AMD Athlon 3000G
Discovery Timeline
- January 16, 2024 - CVE-2023-4969 published to NVD
- June 20, 2025 - Last updated in NVD database
Technical Details for CVE-2023-4969
Vulnerability Analysis
This vulnerability stems from improper memory management in GPU local memory—a high-performance memory region optimized for fast access by compute units within a GPU. When GPU kernels allocate and use local memory for computations, the underlying hardware and driver implementations fail to properly clear or isolate this memory between different kernel executions or between different users sharing the same GPU hardware.
The issue is particularly concerning in multi-tenant environments such as cloud computing platforms, where multiple users may share the same physical GPU. An attacker can craft a malicious GPU kernel that allocates local memory and reads its contents before using it, potentially recovering data left behind by a previous kernel execution from a different process or user.
The vulnerability affects applications utilizing GPU compute frameworks including OpenCL and Vulkan compute shaders. Modern workloads that process sensitive data on GPUs—such as machine learning inference, cryptographic operations, and scientific computing—are at particular risk of data exposure through this vulnerability.
Root Cause
The root cause of CVE-2023-4969 is a memory leak weakness (CWE-401) in GPU local memory handling. GPU architectures optimize for performance by not zeroing local memory allocations between kernel executions. While the OpenCL and Vulkan specifications technically define local memory contents as undefined upon allocation, this creates a practical security vulnerability when sensitive data persists in this memory region.
The specifications state that applications should not rely on initial memory contents, but they do not mandate that implementations prevent information disclosure. This specification gap, combined with the performance-driven design decision to skip memory clearing, creates the vulnerability condition.
Attack Vector
Exploitation requires local access to the system with the ability to execute GPU kernels. An attacker must:
- Have authenticated access to the system with permission to submit GPU workloads
- Allocate local memory in a GPU kernel without initializing it
- Read and exfiltrate the memory contents, which may contain residual data from previous kernel executions
- Repeat the process to capture data from victim workloads running on the same GPU
The attack is timing-dependent, as the attacker must execute their kernel after the victim's kernel has written sensitive data to local memory but before other operations overwrite that data. In practice, a persistent polling approach can reliably capture sensitive data over time.
The vulnerability mechanism involves crafting a GPU compute shader or OpenCL kernel that allocates local memory without initialization and then copies those contents to an output buffer for analysis. For detailed technical exploitation techniques, refer to the CERT Vulnerability Note VU#446598.
Detection Methods for CVE-2023-4969
Indicators of Compromise
- Unusual GPU kernel submissions from unexpected processes or users
- GPU compute workloads that allocate local memory, perform minimal computation, and immediately copy memory contents to host-accessible buffers
- Repeated rapid GPU kernel executions with patterns consistent with memory scanning behavior
- Anomalous data transfer patterns from GPU memory to host memory
Detection Strategies
- Monitor GPU command queue submissions for kernels with suspicious allocation and copy patterns
- Implement behavioral analysis for GPU workloads that exhibit memory scanning characteristics
- Track GPU resource utilization anomalies that may indicate exploitation attempts
- Deploy endpoint detection solutions capable of monitoring GPU driver interactions
Monitoring Recommendations
- Enable GPU driver logging where supported to capture kernel submission patterns
- Monitor shared GPU environments (cloud, virtualized) for unauthorized compute workloads
- Implement resource isolation monitoring to detect potential cross-tenant data access attempts
How to Mitigate CVE-2023-4969
Immediate Actions Required
- Update GPU drivers to the latest versions from AMD and other affected vendors
- In multi-tenant environments, evaluate GPU isolation options or consider disabling GPU sharing until patches are available
- Review applications processing sensitive data on GPUs and assess exposure risk
- Consider implementing application-level memory initialization for critical workloads
Patch Information
Remediation for CVE-2023-4969 requires updates at multiple levels:
- GPU Driver Updates: AMD and other vendors have released or are releasing driver updates that implement local memory clearing between kernel executions
- Firmware Updates: For AMD hardware, firmware updates are available for affected Instinct, Radeon, and Ryzen products
- API Specification Updates: The Khronos Group has updated guidance in the OpenCL 3.0 API Specification and Vulkan 1.3 Extensions Specification
Consult vendor security advisories for specific patch versions and update procedures.
Workarounds
- Initialize all local memory allocations to zero at the start of GPU kernels to prevent reading stale data
- Avoid processing highly sensitive data on shared GPU resources in multi-tenant environments
- Implement process isolation for GPU workloads handling sensitive information where possible
- Clear GPU local memory by executing zeroing kernels after sensitive operations complete
# Example: Check AMD GPU driver version on Linux
amdgpu-pro-info 2>/dev/null || clinfo | grep -i "driver version"
# Verify GPU firmware version
cat /sys/class/drm/card0/device/gpu_firmware_version 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
