Intel Microcode Updates for Qubes OS
A recent microcode update, detailed in Qubes Security Bulletin (QSB) 109, has been released for users of Qubes OS. This bulletin outlines specific Intel microcode updates and the necessary steps for users to maintain system security.
- Release Date: August 14, 2025
- User Action: Users should continue to update their systems normally to receive security updates. No additional action is required in response to this bulletin.
On August 12, 2025, Intel published several security advisories along with microcode updates, including:
- INTEL-SA-01249
- INTEL-SA-01308
- INTEL-SA-01310
- INTEL-SA-01311
- INTEL-SA-01313
- INTEL-SA-01367
The Qubes Security Team assessed that vulnerabilities INTEL-SA-01249 and INTEL-SA-01308 are likely to affect Qubes OS, while the impact of INTEL-SA-01310 is uncertain, and the remaining advisories are unlikely to affect Qubes.
On systems affected by these vulnerabilities, a compromised qube may escalate privileges to that of dom0 (the administrative domain) or Xen (the hypervisor), which poses a significant security threat.
- INTEL-SA-01249: Impacts 12th Generation Intel Core and newer CPUs. Some fixes were included in earlier updates from May 12, 2025.
- INTEL-SA-01308 and INTEL-SA-01310: Affect certain Intel server CPU models.
Users of Qubes OS 4.2 and 4.3 in dom0 should install the following package to address these vulnerabilities:
- microcode_ctl version 2.1.20250812
These updates will transition from the security-testing repository to the stable repository within two weeks, pending community testing. Users can install these via the Qubes Update tool or command-line options. A restart of dom0 is required for updates to take effect.
Additionally, users employing Anti Evil Maid will need to reseal their secret passphrase to accommodate changes in PCR values resulting from the microcode updates.
For detailed information, users can refer to the original Intel Security Advisories. The bulletin also includes links for further reading on how to update and testing procedures.
- [Qubes OS Update Instructions](https://www.qubes-os.org/doc/how-to-update/)
- [Security Testing Documentation](https://www.qubes-os.org/doc/testing/)
- [Intel Microcode Release Notes](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-20250812)
The Qubes Security Team is committed to ensuring the ongoing security of the operating system and its users.
Note: Marek Marczykowski-Górecki's PGP signature will be added to the bulletin upon his return from travel.
It is crucial for users to stay informed about microcode updates and security advisories, as these play a critical role in protecting against potential vulnerabilities. Regular system updates and awareness of security patches can greatly enhance the resilience of Qubes OS against exploits. The Qubes Security Team encourages users to participate in testing new updates and to report any anomalies they encounter, contributing to the community's collective security efforts.
Moreover, users should consider enabling additional security measures and familiarize themselves with Qubes OS's unique architecture, which inherently compartmentalizes tasks and processes, further safeguarding against threats. By staying proactive about updates and security practices, Qubes OS users can maintain a robust defense against ever-evolving cyber threats
A recent microcode update, detailed in Qubes Security Bulletin (QSB) 109, has been released for users of Qubes OS. This bulletin outlines specific Intel microcode updates and the necessary steps for users to maintain system security.
Overview of QSB-109
- Release Date: August 14, 2025
- User Action: Users should continue to update their systems normally to receive security updates. No additional action is required in response to this bulletin.
Summary of Security Advisories
On August 12, 2025, Intel published several security advisories along with microcode updates, including:
- INTEL-SA-01249
- INTEL-SA-01308
- INTEL-SA-01310
- INTEL-SA-01311
- INTEL-SA-01313
- INTEL-SA-01367
The Qubes Security Team assessed that vulnerabilities INTEL-SA-01249 and INTEL-SA-01308 are likely to affect Qubes OS, while the impact of INTEL-SA-01310 is uncertain, and the remaining advisories are unlikely to affect Qubes.
Potential Impact
On systems affected by these vulnerabilities, a compromised qube may escalate privileges to that of dom0 (the administrative domain) or Xen (the hypervisor), which poses a significant security threat.
Affected Systems
- INTEL-SA-01249: Impacts 12th Generation Intel Core and newer CPUs. Some fixes were included in earlier updates from May 12, 2025.
- INTEL-SA-01308 and INTEL-SA-01310: Affect certain Intel server CPU models.
Patching Instructions
Users of Qubes OS 4.2 and 4.3 in dom0 should install the following package to address these vulnerabilities:
- microcode_ctl version 2.1.20250812
These updates will transition from the security-testing repository to the stable repository within two weeks, pending community testing. Users can install these via the Qubes Update tool or command-line options. A restart of dom0 is required for updates to take effect.
Additionally, users employing Anti Evil Maid will need to reseal their secret passphrase to accommodate changes in PCR values resulting from the microcode updates.
Credits and References
For detailed information, users can refer to the original Intel Security Advisories. The bulletin also includes links for further reading on how to update and testing procedures.
- [Qubes OS Update Instructions](https://www.qubes-os.org/doc/how-to-update/)
- [Security Testing Documentation](https://www.qubes-os.org/doc/testing/)
- [Intel Microcode Release Notes](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-20250812)
The Qubes Security Team is committed to ensuring the ongoing security of the operating system and its users.
Note: Marek Marczykowski-Górecki's PGP signature will be added to the bulletin upon his return from travel.
Extension of the Announcement
It is crucial for users to stay informed about microcode updates and security advisories, as these play a critical role in protecting against potential vulnerabilities. Regular system updates and awareness of security patches can greatly enhance the resilience of Qubes OS against exploits. The Qubes Security Team encourages users to participate in testing new updates and to report any anomalies they encounter, contributing to the community's collective security efforts.
Moreover, users should consider enabling additional security measures and familiarize themselves with Qubes OS's unique architecture, which inherently compartmentalizes tasks and processes, further safeguarding against threats. By staying proactive about updates and security practices, Qubes OS users can maintain a robust defense against ever-evolving cyber threats
Intel Microcode Updates for Qubes OS
A Microcode update has been released for Qubes OS:
QSB-109: Intel microcode updates
