In a recent development, Intel finds itself at the center of a lawsuit filed by a group of PC buyers who claim that the tech giant was aware of faulty chip instructions that ultimately led to the emergence of the Downfall vulnerability. The suit alleges that Intel had been informed about the susceptibility of its AVX instruction set to side-channel attacks as early as 2018 but failed to rectify the defect until the disclosure of the Downfall flaw this year.

The lawsuit, filed on behalf of five plaintiffs in a US federal court in San Jose, California, accuses Intel of selling billions of insecure chips during the period when it allegedly knew about the vulnerability. The affected computer buyers were left with no choice but to rely on a performance-slowing patch, which reportedly slows down their systems by up to 50 percent.

The Downfall vulnerability involves a microarchitectural flaw concerning the AVX SIMD Gather instruction. Exploiting this flaw allows unauthorized individuals to access data from memory during speculative execution, a technique used by CPU cores to enhance their performance by anticipating an application's code actions. While speculative execution speeds up computation, it also poses the risk of data disclosure when the outcomes of these speculative calculations become observable.

Downfall is part of a series of side-channel vulnerabilities that came to light after the 2018 revelation of the Spectre and Meltdown architecture flaws, initially reported by The Register.

The lawsuit claims that in the summer of 2018, during the handling of the Spectre and Meltdown vulnerabilities, Intel received two separate vulnerability reports from third-party researchers warning about the susceptibility of the Advanced Vector Extensions (AVX) instruction set to side-channel attacks. AVX allows Intel CPU cores to carry out operations on multiple pieces of data simultaneously, thereby improving performance.

The complaint further cites a social media post by hardware enthusiast Alexander Yee on June 16, 2018, discussing a Spectre-like data-leaking flaw related to AVX. It alleges that the proof-of-concept exploit code for this instruction set was delayed until August 7, 2018, allegedly at the request of Intel.

According to the plaintiffs, Intel was aware of at least one speculative-execution side-channel vulnerability in AVX while addressing the Spectre-Meltdown design flaws. They argue that Intel should have secured AVX in 2018 when learning of Yee's findings, alongside resolving the Spectre-Meltdown issues. However, the company allegedly took no action, leading to the discovery of the Downfall flaw in 2023, five years later.

The complaint states, "Despite promising a hardware redesign to mitigate speculative execution vulnerabilities during the exact time period researchers disclosed the vulnerabilities in Intel's AVX instructions, Intel did nothing. It did not fix its then-current chips, and over three successive generations, Intel did not redesign its chips to ensure that AVX instructions would operate securely when the CPU speculatively executed them."

Intel Core processors from the 6th to the 11th generations are affected by the Downfall flaw (CVE-2022-40982), which was publicly disclosed on August 8 this year.

Intel has not yet released an official statement regarding the lawsuit. As the case moves forward, it remains to be seen how Intel will respond to the allegations and what repercussions this legal battle may have on the reputation and operations of the tech giant.