Peihong Lin (National University of Defense Technology), Pengfei Wang (National University of Defense Technology), Lei Zhou (National University of Defense Technology), Gen Zhang (National University of Defense Technology), Xu Zhou (National University of Defense Technology), Wei Xie (National University of Defense Technology), Zhiyuan Jiang (National University of Defense Technology), Kai Lu (National University of Defense Technology)
CPU vulnerabilities pose ongoing security challenges in modern CPU architectures. Among the CPU vulnerabilities, write port contention—caused by multiple functional modules
simultaneously competing for a limited number of shared write ports—remains insufficiently studied. In this paper, we study write port contention side-channel vulnerabilities in CPUs and
propose **PortRush**, a novel fuzzing framework designed to detect and validate such vulnerabilities at the register-transfer level (RTL). First, PortRush constructs a **Write Request Graph (WRG)** to statically identify potential write port contention instances by modeling write paths and priority relationships among functional modules that target shared storage elements.
Second, within the WRG, PortRush implements a **Hierarchical Aggregation and Decoding** method to efficiently detect write port contention by monitoring relevant hardware signals across design hierarchies. Third, PortRush employs a **Contention-guided
Hardware Fuzzing** approach to trigger write port contention and automatically combine contention-triggered instruction sequences with transient execution attack patterns, enabling validation of write port contention side-channel vulnerabilities. We evaluate
PortRush on three RISC-V CPUs (BOOM, NutShell, and Rocket Core) and demonstrate its effectiveness in identifying and triggering write port contention. Furthermore, we validate that
the discovered vulnerabilities can be exploited in realistic write port contention attack scenarios. Based on these vulnerabilities, we present two novel attack vectors: *Birgus-variant*, which exploits contention at the physical register file in the Reorder Buffer, and *MSHRush*, which leverages contention between the *Load/Store Unit (LSU)* and the *Miss Status Handling Register (MSHR)*
at the L1 data cache to induce secret-dependent execution delays. We also propose mitigation strategies for CPU developers to prevent such vulnerabilities.