[KB8911] Kernel crash or freeze with "Missing ENDBR" when running ESET applications on Linux

ESET Linux applications may be affected on systems where Intel Control-flow Enforcement Technology (CET) with Indirect Branch Tracking (IBT) is enabled in the Linux kernel. On certain Intel CPUs and Linux distributions (for example, Debian 13), this can result in a kernel BUG or panic, which appears to the user as a system crash or freeze.

Control-flow Enforcement Technology (CET) is a hardware-based security feature implemented on modern Intel CPUs to mitigate control-flow hijacking attacks. One of its components, Indirect Branch Tracking (IBT), enforces validation of indirect branches.

When Indirect Branch Tracking (IBT) is enabled:

• All valid targets of indirect branches must begin with a special instruction (ENDBR64 on x86-64 systems; ENDBR32 on x86 systems)
• These instructions act as landing pads for indirect calls and jumps
• If an indirect branch targets code that does not begin with an ENDBR instruction, the CPU raises a control-protection fault (#CP)

Linux kernels with Control-flow Enforcement Technology (CET) support enabled (for example, via CONFIG_X86_CET) enforce Indirect Branch Tracking (IBT) for both kernel code and loadable kernel modules. When ESET Linux applications are used in such environments, the kernel may encounter a control-protection fault during execution and terminate with a kernel BUG or panic.

This typically results in a system crash or freeze, with kernel log messages similar to:

Missing ENDBR: __x64_sys_close+0x9/0x80
kernel BUG at arch/x86/kernel/cet.c:102!

Support for Control-flow Enforcement Technology (CET) with Indirect Branch Tracking (IBT), including the required ENDBR instructions, is planned for future releases of ESET Linux applications.