Credit: Rafal Wojtczuk
It looks like Intel’s x64 SYSRET instruction operates differently enough from AMD’s x86_64 standard (some people call this “wrong”) that an OS written to the AMD standard running on Intel processors includes a bonus privilege escalation feature. Namely, you can get the kernel (or hypervisor) to handle a SYSRET with a user-specified RSP. What could possibly go wrong?
Wait, everyone else is vulnerable too?. Bonus in your attackers’ favor.