Intel: Google Helped Us Find Vulnerabilities In Xeon’s TDX Security Feature

In detailing vulnerabilities that Intel later remediated, Google’s security researchers say the most significant one they found in the Xeon confidential computing feature ‘would have allowed an untrusted operator to completely compromise the security guarantees of TDX.’

Futuristic background with hexagon shell and hole with binary code and opened lock. Hacker attack and data breach. Big data with encrypted computer code. Safe your data. Cyber internet security and privacy concept. 3d illustration

Intel said Tuesday that Google’s cloud security team helped the chipmaker identify five vulnerabilities in the most advanced confidential computing feature of its Xeon CPUs.

The work, which resulted in the remediation of such vulnerabilities, was part of a five-month joint security review between Intel and Google security researchers into the code for version 1.5 of the semiconductor giant’s Trust Domain Extensions feature.

[Related: 5 Ways AI Chips Are Accelerating Security Advancements]

With the review representing an ongoing collaboration between the two companies, Google’s security researchers said the “complexity of modern systems makes continuous assessment essential,” adding that “collaborative reviews allow industry leaders to proactively fix vulnerabilities while fostering transparency for everyone who relies on the technology.”

“This research illustrates why Intel is committed to never stop looking for security issues in our products,” Intel said in its own statement announcing Google’s research findings. “Customers can take confidence that it’s not just Intel working to strengthen our technology, but the ecosystem working together to enhance protection.”

Shortened as TDX, Trust Domain Extensions represents the most advanced confidential computing feature in Intel’s Xeon processors, and it’s used by Google Cloud, Microsoft Azure and Alibaba Cloud to offer additional protection for customer data.

The feature is designed to protect sensitive data and applications from unauthorized access by isolating virtual machines from the hypervisor and other software. It’s available in the fifth-generation Xeon and Xeon 6 product lines while availability in the fourth generation is limited to custom models for cloud service providers.

In a blog post, Google’s security researchers said the most significant vulnerability it found related to the Live Migration feature of TDX 1.5. This “would have allowed an untrusted operator to completely compromise the security guarantees of TDX,” they wrote.

The vulnerability allowed the host of a TDX environment to access a hardware-isolated virtual machine—also known as a Trust Domain, or TD for short—when using Live Migration to move the instance to another physical machine by changing its attributes from “migratable” to “debug,” the researchers said.

“Once triggered the entire decrypted TD state is accessible from the host. At this point a malicious host could construct another TD with the decrypted state or perform live monitoring activities,” they wrote, adding that such actions could be completed after a TD “completed attestation” to indicate that it’s protected.

This and four other vulnerabilities found by Google’s team were patched by Intel in the most recent version of the TDX Module code for Xeon processors, according to the chipmaker.

The security review also resulted in Google researchers finding 35 “less critical” weaknesses, bugs and improvement opportunities. Some of these smaller issues are expected to be addressed in future TDX Module code updates.

Among the recommendations from Google researchers is an architecture improvement they call Attestable Global Feature Disablement, which the team said “would limit attack surface growth by allowing a host to enable only used features and interfaces during TDX Module initialization.”

The Google security researchers said they identified the TDX security issues between the spring and fall of last year by performing a “thorough API review” of changes since TDX version 1.0. This work was augmented with the use of static analysis tools and the development of a “bespoke Python-based experimentation framework” called TDXplore to “explore complex flows and edge cases,” according to the team.

The researchers said they also “leveraged” Google’s Gemini 2.5 Pro AI reasoning model and NotebookLM AI research tool to “navigate technical specifications and aid with analysis.”