ACCORDING to Google, a joint security review by Google and Intel of Trust Domain Extensions (TDX) uncovered five vulnerabilities and 35 bugs in Intel’s TDX 1.5 code, leading to a published advisory and a technical 85-page report. Intel has patched the issues, which are tracked under CVEs including CVE-2025-32007, CVE-2025-27940, CVE-2025-30513, CVE-2025-27572 and CVE-2025-32467.
In a blog post, Google highlighted CVE-2025-30513 as enabling a malicious host to fully compromise TDX’s security guarantees by converting a migratable TD to a debuggable TD during migration, exploiting a Time-of-Check to Time-of-Use vulnerability to import an altered state. The flaw could allow access to the entire decrypted TD state, enabling the construction of another TD or live monitoring, with the attack potentially occurring at any point in a TD’s lifecycle, even after attestation.
The Google–Intel collaboration spanned five months in 2025, using manual code reviews, custom tools and off-the-shelf AI to analyse TDX Module 1.5 code.