{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"Medium"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"microcode_ctl security update",
				"category":"general",
				"title":"Synopsis"
			},
			{
				"text":"An update for microcode_ctl is now available for openEuler-22.03-LTS-SP4",
				"category":"general",
				"title":"Summary"
			},
			{
				"text":"This is a tool to transform and deploy microcode update for x86 CPUs.\n\nSecurity Fix(es):\n\nExposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Processors within VMX non-root (guest) operation may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (none) and availability (none) impacts.(CVE-2025-35979)",
				"category":"general",
				"title":"Description"
			},
			{
				"text":"An update for microcode_ctl is now available for openEuler-22.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.",
				"category":"general",
				"title":"Topic"
			},
			{
				"text":"Medium",
				"category":"general",
				"title":"Severity"
			},
			{
				"text":"microcode_ctl",
				"category":"general",
				"title":"Affected Component"
			}
		],
		"publisher":{
			"issuing_authority":"openEuler security committee",
			"name":"openEuler",
			"namespace":"https://www.openeuler.org",
			"contact_details":"openeuler-security@openeuler.org",
			"category":"vendor"
		},
		"references":[
			{
				"summary":"openEuler-SA-2026-2459",
				"category":"self",
				"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2459"
			},
			{
				"summary":"CVE-2025-35979",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-35979&packageName=microcode_ctl"
			},
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-35979"
			},
			{
				"summary":"openEuler-SA-2026-2459 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-2459.json"
			}
		],
		"title":"An update for microcode_ctl is now available for openEuler-22.03-LTS-SP4",
		"tracking":{
			"initial_release_date":"2026-05-22T21:22:15+08:00",
			"revision_history":[
				{
					"date":"2026-05-22T21:22:15+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				}
			],
			"generator":{
				"date":"2026-05-22T21:22:15+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2026-05-22T21:22:15+08:00",
			"id":"openEuler-SA-2026-2459",
			"version":"1.0.0",
			"status":"final"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4"
									},
									"product_id":"openEuler-22.03-LTS-SP4",
									"name":"openEuler-22.03-LTS-SP4"
								},
								"name":"openEuler-22.03-LTS-SP4",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4"
									},
									"product_id":"microcode_ctl-20260512-1.oe2203sp4.src.rpm",
									"name":"microcode_ctl-20260512-1.oe2203sp4.src.rpm"
								},
								"name":"microcode_ctl-20260512-1.oe2203sp4.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"x86_64",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4"
									},
									"product_id":"microcode_ctl-20260512-1.oe2203sp4.x86_64.rpm",
									"name":"microcode_ctl-20260512-1.oe2203sp4.x86_64.rpm"
								},
								"name":"microcode_ctl-20260512-1.oe2203sp4.x86_64.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-22.03-LTS-SP4",
				"product_reference":"microcode_ctl-20260512-1.oe2203sp4.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-22.03-LTS-SP4:microcode_ctl-20260512-1.oe2203sp4.src",
					"name":"microcode_ctl-20260512-1.oe2203sp4.src as a component of openEuler-22.03-LTS-SP4"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-22.03-LTS-SP4",
				"product_reference":"microcode_ctl-20260512-1.oe2203sp4.x86_64.rpm",
				"full_product_name":{
					"product_id":"openEuler-22.03-LTS-SP4:microcode_ctl-20260512-1.oe2203sp4.x86_64",
					"name":"microcode_ctl-20260512-1.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2025-35979",
			"notes":[
				{
					"text":"Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Processors within VMX non-root (guest) operation may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (none) and availability (none) impacts.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-22.03-LTS-SP4:microcode_ctl-20260512-1.oe2203sp4.src",
					"openEuler-22.03-LTS-SP4:microcode_ctl-20260512-1.oe2203sp4.x86_64"
				]
			},
			"remediations":[
				{
					"product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"},
					"details":"microcode_ctl security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2459"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"MEDIUM",
						"baseScore":6.8,
						"vectorString":"CVSS:3.1/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
						"version":"3.1"
					},
					"products":{"$ref":"$.vulnerabilities[0].product_status.fixed"}
				}
			],
			"threats":[
				{
					"details":"Medium",
					"category":"impact"
				}
			],
			"title":"CVE-2025-35979"
		}
	]
}