Skip to main content

Intel QuickAssist Technology CVE-2025-35998

HIGH
Missing Protection Mechanism for Alternate Hardware Interface (CWE-1299)
2026-02-10 secure@intel.com
7.0
CVSS 4.0 · Vendor: intel
Share

Severity by source

Vendor (intel) PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.7 MEDIUM

Local access with pre-existing Ring 0 privileges (PR:H), and the stated attack requirement plus 'special internal knowledge' justify AC:H; high confidentiality/integrity to kernel state, no availability impact, no scope change.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Red Hat
7.9 HIGH
qualitative

Primary rating from Vendor (intel).

CVSS VectorVendor: intel

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
Jun 30, 2026 - 05:52 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:50 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:49 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:48 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:23 NVD
7.9 (HIGH) 7.0 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
CVE Published
Feb 10, 2026 - 17:16 nvd
HIGH 7.9

DescriptionCVE.org

Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

AnalysisAI

Privilege escalation in Intel QuickAssist Technology (QAT) on certain Intel platforms allows a system-software adversary already holding privileged (Ring 0 / kernel-level) access to read and corrupt kernel state via an unprotected alternate hardware interface. The flaw stems from a missing protection mechanism on a secondary hardware control path, yielding high confidentiality and integrity impact but no availability loss. There is no public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not listed in CISA KEV.

Technical ContextAI

Intel QuickAssist Technology is a hardware accelerator integrated into select Intel server platforms (Xeon-class CPUs and chipsets) that offloads cryptographic and compression workloads from the CPU, exposed to the OS through kernel-mode drivers and device interfaces. The root cause is CWE-1299 (Missing Protection Mechanism for Alternate Hardware Interface): the device exposes a secondary/alternate hardware interface that lacks the access-control or protection enforcement applied to the primary interface, so a privileged kernel-level actor can reach state that should have been gated. Because the affected component operates within Ring 0, any weakness in the interface directly intersects the most trusted execution context, where confidentiality and integrity guarantees of kernel memory and device state are at stake.

Affected ProductsAI

The vulnerability affects Intel QuickAssist Technology (QAT) on 'some Intel Platforms' per Intel advisory INTEL-SA-01406 (https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01406.html); exact affected platform/firmware/driver version ranges are enumerated in that advisory and were not provided as discrete CPE entries in the input. Red Hat tracks Linux distribution exposure for CVE-2025-35998 (https://access.redhat.com/security/cve/CVE-2025-35998) with errata RHSA-2026:6888 (https://access.redhat.com/errata/RHSA-2026:6888), Bugzilla 2438523, and a machine-readable VEX record (https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-35998.json) covering the affected Linux QAT kernel driver packages.

RemediationAI

Apply the vendor fixes: update Intel QuickAssist Technology firmware/drivers to the patched releases identified in Intel advisory INTEL-SA-01406, and on Red Hat Enterprise Linux apply the kernel/driver update shipped in RHSA-2026:6888 (and equivalent updates from your distribution) - Patch available per vendor advisory; exact fixed version numbers are specified in those advisories and should be taken from them rather than assumed. If immediate patching is not possible, reduce exposure of the alternate hardware interface by restricting which workloads and tenants are granted kernel/privileged access to QAT-enabled hosts, disabling QAT acceleration where it is not required (side effect: loss of crypto/compression offload performance, falling back to software paths), and tightening host trust boundaries on systems where untrusted privileged software could run. Because exploitation already requires Ring 0 / privileged access, hardening the set of code permitted at that level is the most effective compensating control.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Vendor StatusVendor

Share

CVE-2025-35998 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy