Inception: how a simple XOR can cause a Microarchitectural Stack Overflow

Over the past one and a half years, we have studied two phenomena that enable an unprivileged attacker to leak arbitrary information on all modern AMD CPUs:

  • Phantom speculation: We can trigger misprediction without any branch at the source of the misprediction.
  • Training in Transient Execution: We can manipulate future mispredictions through a previous misprediction that we trigger.

Putting the two together gives rise to a new type of attack called Inception: we can inject future mispredictions through a previous misprediction that we trigger — in the absence of branches. You can see a demo of Inception and find more information about the issues below:


Inception (CVE-2023-20569) is a novel transient execution attack that leaks arbitrary data on all AMD Zen CPUs in the presence of all previously deployed software- and hardware mitigations. As in the movie of the same name, Inception plants an “idea” in the CPU while it is in a sense “dreaming”, to make it take wrong actions based on supposedly self conceived experiences. Using this approach, Inception hijacks the transient control-flow of return instructions on all AMD Zen CPUs.

Training in Transient Execution (TTE)

Inception is an instance of a new class of transient execution attacks that do their Training in Transient Execution (TTE). Instead of attempting to leak data in a transient window, TTE attacks abuse the transient window to insert new predictions into the branch predictor instead. These newly inserted predictions trigger future transient windows which can be more powerful than the initial one. TTE attacks thus turn supposedly harmless transient windows into dangerous ones, by abusing the victim as a confused deputy that trains itself in a transient window.

Phantom speculation

Although TTE attacks are interesting, they are not necessarily trivial to pull off, due to the need for specific gadgets in the victim code. Instead of these hard-to-find gadgets, what if there was an easier way to achieve a transient window for training? This is where Phantom speculation comes in. Phantom (CVE-2022-23825) enables an attacker to create a transient window at arbitrary instructions. Suddenly, a seemingly harmless XOR instruction can behave like a call instruction, and allow the attacker to create a transient window.

Inception: A Combination of TTE and Phantom

During our research, we found that merely a prediction for a specific instruction already manipulates the branch predictor. This enables us to insert new predictions in the branch predictor using only predictions of branches, even if they do not match reality, i.e. using a non-existing Phantom control flow. With Phantom, we can thus enable TTE by turning the CPU into a confused deputy that trains itself while running the victim.  The result of this insight is Inception, an attack that leaks arbitrary data from an unprivileged process on all AMD Zen CPUs. Inception makes the CPU believe that a XOR instruction is a recursive call instruction which overflows the return stack buffer with an attacker-controlled target.


To fully mitigate Inception, the branch predictor state has to be fully flushed while switching between distrusting contexts. We found that on Zen 1(+) and Zen 2, this comes with a hefty overhead between 93.1% and 216.9%, depending on the specific microarchitecture. On Zen 3 and Zen 4, we did not find proper hardware support to flush the entire branch predictor state. AMD have released microcode to enable this feature.

Instead of flushing the entire branch predictor state, AMD proposed a different mitigation for the Linux kernel. By reducing all returns in the kernel to a single one, it becomes possible to ensure a safe (but still incorrect) branch predictor state each time this return is executed. Keeping previous mitigations in mind, this effectively means that AMD opted to have all indirect branches forcibly mispredict to a benign location, preventing Inception attacks.


A paper about Inception is going to be presented at USENIX Security 2023 and a paper about Phantom speculation is going to be presented at MICRO 2023. You can find the source code of Inception on our Github. We will publish the source code of Phantom at a later date.


  • Is my machine affected?

    If it embodies an AMD CPU, your machine is vulnerable to Inception and Phantom.

  • What is the difference between Inception and Phantom?

    Inception leverages Training in Transient Execution (TTE) to add malicious branch prediction targets to the branch predictor. Phantom allows for triggering transient windows from arbitrary instructions, facilitating TTE and enabling Inception attacks.

  • Does Inception affect CPUs other than AMD?

    No, but our analysis shows that Intel CPUs are vulnerable to certain TTE variants. While this certainly increases the known attack surface of transient execution attacks, it remains to be seen whether practical exploitation is possible on Intel CPUs.

  • Does Phantom affect CPUs other than AMD?

    Yes, our analysis shows that Phantom also affects CPUs from Intel. However, the eIBRS mitigation makes Phantom exploitation non-trivial on these CPUs.

  • Are only Linux systems affected?

    Although our proof-of-concept attacks require the system to be running Linux, Inception and Phantom fundamentally exploit vulnerabilities in the hardware. Therefore, any system with an affected CPU can potentially be the target of a Phantom or Inception attack, regardless of the running software.

  • What should I do?

    Install the latest operating system updates.