A group of cybersecurity researchers have discovered a new security vulnerability affecting Intel processors, which they've craftily named "Plundervolt," a portmanteau of the words "plunder" and "undervolt." Chronicled under CVE-2019-11157, it was first reported to Intel in June 2019 under its security bug-bounty programme, so it could secretly develop a mitigation. With the 6-month NDA lapsing, the researchers released their findings to the public. Plundervolt is described by researchers as a way to compromise SGX (software guard extensions) protected memory by undervolting the processor when executing protected computations, to a level where SGX memory-encryption no longer protects data. The researchers have also published proof-of-concept code.

Plundervolt is different from "Rowhammer," in that it flips bits inside the processor, before they're written to the memory, so SGX doesn't protect them. Rowhammer doesn't work with SGX-protected memory. Plundervolt requires root privileges as software that let you tweak vCore require ring-0 access. You don't need direct physical access to the target machine, as tweaking software can also be remotely run. Intel put out security advisory SA-00298 and is working with motherboard vendors and OEMs to release BIOS updates that pack a new microcode with a mitigation against this vulnerability. The research paper can be read here.

Update: It seems that the vCore voltage can go up to 1.7v, which has resulted in at least one claim of a fried Ryzen CPU on Gigabyte's forums. Multiple users are reporting this issue, and apparently the problem isn't limited to Gigabyte's K7 motherboard: users on the Gaming K5 motherboard are also reporting similar issues with the latest BIOS for their respective motherboard.

A warning to users of Gigabyte's X370 K7 motherboard: the most recent F5 BIOS version, which was posted as a stable release on the company's BIOS support page, has been originating reports from users as having increased the dynamic voltage applied towards stratospheric values (from a "healthy CPU vCore baseline.) The problem appears to be related to the usage of Gigabyte's Dynamic vCore functionality, where users that were seeing vCore values of around 1.2v started seeing those dynamic values, as set by the motherboard, being set to a crispy 1.55v instead, at the same clocks as before the BIOS update. If you have such a motherboard, and have recently updated your BIOS to revision F5 or planned on doing so, please do yourself a favor and set vCore manually to your value of choice, compensating with LLC (Load Line Calibration) so that your CPU isn't shocked to death with additional vCore.