CVE-2024-22476 (CVSS 10): Intel’s Critical AI Flaw Leaves Systems Open to Attack

Recently, Intel released 41 security bulletins, addressing over 90 vulnerabilities across its product line, a substantial number. The primary focus of these security flaws lies in the software domain, including one critical AI tool vulnerability.

The most perilous vulnerability discovered by Intel is in the Neural Compressor, achieving a perfect score of 10 in the CVSS ratings, the highest possible level of security risk. The flaw, tracked as CVE-2024-22476, could allow an unauthenticated attacker to “enable escalation of privilege via remote access”. It is understood that attackers can exploit this vulnerability in all versions before the current one, enabling privilege escalation and remote execution of arbitrary attacks. Neural Compressor is a tool designed to optimize AI language models, reduce the size of LLMs, and enhance their speed. However, it is not commonly installed on most PCs and is primarily used by those involved in AI work.

The remaining vulnerabilities range from moderate to high severity, encompassing UEFI firmware for server products, Arc and Iris Xe graphics software, and other assorted Intel software products. The high-severity vulnerabilities include risks of privilege escalation attacks, DoS attacks, or information leakage. Numerous moderately severe vulnerabilities were also found in the Core Ultra “Meteor Lake” processors and a wide array of Intel software, including processor diagnostic tools, graphics performance analyzers, and Extreme Tuning Utility.

Intel has already issued security updates for each vulnerability and advises users to upgrade to the latest versions to ensure the secure operation of their devices. Compared to previous security bulletins, the number of vulnerabilities in this release is relatively high, indicating a more severe situation.