Windows 11 encryption standard discovered to damage data, fix affects CPU performance
Micorosft recently identified a data integrity vulnerability that impacts Windows 11 / Windows Server 2022 devices supporting the newest Vector Advanced Encryption Standard (AES) (VAES) instruction. Affected processors that could be susceptible to data damage include Intel’s Ice Lake, Tiger Lake, Ice Lake-SP and Sapphire Rapids-SP models, while AMD’s affected models include the Ryzen 5000, Ryzen 5000X3D, EPYC Milan, EPYC Milan-X and EPYC Genoa, plus the upcoming Zen 4 processors. Intel’s Alder Lake and upcoming Raptor Lake are partially affected as the platforms do not officially support VAES, but the feature can be enabled through custom BIOS firmware.
This issue is fixed with the May 24, 2022 preview release and the June 14, 2022 security release. However, these updates apparently slow down CPU performance by up to 2x in applications like Bitlocker and Transport Layer Security load balancers. Enterprise customers may also experience slower disk throughput. Performance issues should be fixed with the installation of the June 23, 2022 preview or the July 12, 2022 security release.
The data integrity vulnerability was caused by the addition of new code paths to the Windows 11 (original release) and Windows Server 2022 versions of SymCrypt to take advantage of VAES instructions. SymCrypt is the core cryptographic library in Windows and it uses AVX instructions featured on the latest Intel and AMD processors, especially the server-grade ones.