Intel Faces Downfall Bug Lawsuit, Seeking $10K per Plaintiff

A class action suit claims Intel knowingly sold billions of faulty chips for years. The outcome could help define where poor vulnerability remediation becomes outright negligence.

A class-action complaint was filed against Intel this week over its handling of data-leaking bugs in its CPUs.
In
a 112-page filing
with the San Jose Division of the United States District Courts Northern District of California, five representative plaintiffs are alleging that the chip giant knew about faulty instructions which enabled such issues as
the recent Downfall bug,
half a decade before it actually released any kind of fix.
Determining whether Intels negligence constitutes a legal offense may be complicated, though, and it could have broad-reaching ramifications for the technology industry.
Never having a flaw is an unrealistic demand, says John Gallagher, vice president of Viakoo Labs at Viakoo, but if my data is stolen because a vendor did not apply a patch in a timely manner, I should be able to sue them because of negligence.
Downfall was the name given to
CVE-2022-40982
, a 6.5 medium-rated CVSS-rated information disclosure vulnerability in Intels sixth to eleventh-generation CPUs. As a Google researcher revealed at last Augusts Black Hat, an attacker could take advantage of a vulnerable instruction the
processors use for speculative execution
in order to gain access to privileged information from other users in a shared computing environment.
Though it exists in untold millions, even billions, of computers worldwide (Intel enjoys
a majority of the global x86 CPU market
), at an individual level this will not impact most people; it is a relatively complex exploit and is based on a user sharing a computer or cloud environment, Gallagher notes.
While the Google researcher first brought Downfall into the limelight in August, the new lawsuit points back far further than that.
In 2018,
a hardware enthusiast published findings
demonstrating Downfall-style transient execution vulnerability in Intel CPUs. It was similar to other, more infamous chip bugs —
Spectre and Meltdown
— and yet
another, similar case — NetSpectre
— arose around the very same time.
However, despite multiple (publicly-known) vulnerability disclosures made to Intel on the subject, Intel did not carefully analyze[sic] possible side-effects in the AVX ISA and engineering hardware solutions to fix them in 2018. Or in 2019, or 2020, or 2021, or 2022. Instead, Intel put profits first, selling defective CPUs for years after it clearly knew them to be defective, the complaint states.
In concurrence with the Black Hat revelation this year,
Intel released a patch for Downfall
. But that patch, the complaint points out, reduces processing speeds to such a degree that plaintiffs are left with defective CPUs that are either egregiously vulnerable to attacks or must be slowed down beyond recognition to fix them.
The threshold at which poor vulnerability remediation becomes outright negligence is as yet not clearly defined by law.
Next year will be 30 years since the Intel floating point error hit the headlines and caused Intel to do a recall of its chips (potentially to avoid being found legally liable). Since then the legal liability is not much clearer, as there will always be corner cases and minor flaws which would not rise to the level of legal liability, Gallagher reflects.
And whether or not Intel was in the wrong, a complex side-channel bug with limited consequences for most computer owners doesnt make for the clearest-cut case to reverse this trend. If this were a widely exploited flaw that could have reasonably been prevented, it might give rise to legal liability, but without that it is just another example of how even with the most rigorous testing and product design, flaws will happen, he says.
If every side-channel attack exploiting a chip-level architectural flaw was brought as a legal case, he concludes, the dockets would be overflowing.
Bathaee Dunne LLP, representing the prosecution, declined to comment for this story. Dark Reading also reached out to Intel, which has not yet responded as of this publication.
[11/13/2023 Editors Note: The original headline was edited and this article updated to remove an incorrect dollar figure.]

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Intel Faces Downfall Bug Lawsuit, Seeking $10K per Plaintiff