Speculative execution side-channel vulnerabilities [Update 2]

Keep track of them and check for mitigations to be installed and enabled
Published on May 25, 2019 in Posts
Updated on: January 28, 2020
Read time: 2 min

Update (June 2, 2019): Added notes about libgo improvements landing in GCC 10 Git.

Update 2 (Jan 28, 2020): Added CVE-2019-1125, CVE-2019-11135, CVE-2019-12207, CVE-2020-0549, CVE-2020-0548 and updated spreadsheet.

It’s been over a year since speculative execution side-channel vulnerabilities are making the headlines. Understanding and knowledge of them are essential to protect against attacks that use them. This post tries to gather information about them. I will update it as new ones are discovered.

Get to know them

We can group them in the following sub-families:


CVE Name Known-as
CVE-2017-5753 bounds check bypass ‘Spectre Variant 1’
CVE-2017-5715 branch target injection ‘Spectre Variant 2’
CVE-2017-5754 rogue data cache load ‘Meltdown’ or ‘Variant 3’
CVE-2018-3640 rogue system register read ‘Variant 3a’
CVE-2018-3639 speculative store bypass ‘Variant 4’
CVE-2019-1125 SWAPGS SWAPGS (‘Spectre Variant 1’)


CVE Name Known-as
CVE-2018-3615 L1 Terminal Fault ‘Foreshadow (SGX)’
CVE-2018-3620 L1 Terminal Fault ‘Foreshadow-NG (OS)’
CVE-2018-3646 L1 Terminal Fault ‘Foreshadow-NG (VMM)’


CVE Name Known-as
CVE-2018-12126 microarchitectural store buffer
data sampling (MSBDS)
CVE-2018-12130 microarchitectural fill buffer
data sampling (MFBDS)
CVE-2018-12127 microarchitectural load port
data sampling (MLPDS)
CVE-2019-11091 microarchitectural data sampling
uncacheable memory (MDSUM)
CVE-2019-11135 TAA ‘ZombieLoad V2’
CVE-2018-12207 MCEPSC ‘No eXcuses’ or ‘iTLB Multihit’
CVE-2020-0549 L1D Eviction Sampling L1DES
CVE-2020-0548 Vector Register Sampling VRS

While Spectre variants affect almost all chips featuring out-of-order execution, Intel chips are vulnerable to all speculative execution side-channel attacks.

I’ve made a spreadsheet (and I’ll keep it updated) with more details and a links to deep dives by Intel:

I also advise you to check the following links:

Check for mitigations to be installed and enabled:

There are two ways to do so:

via this awesome script (Windows, Solaris and macOS are not supported):

$ curl -L https://meltdown.ovh -o spectre-meltdown-checker.sh
$ chmod +x spectre-meltdown-checker.sh
$ sudo ./spectre-meltdown-checker.sh

or, on Linux, you can do it in a less-fancy way but without the need to download and execute a script (your kernel may need to be updated to support these):

$ ls -1 /sys/devices/system/cpu/vulnerabilities/*

$ cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
Mitigation: PTI
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline, STIBP: disabled, RSB filling


Phoronix has written an interesting post with a comparison of 2nd and 3rd gen Intel CPU performances, with and without mitigations applied. Check it out.

On May 31 2019, GCC developers have pushed code for libgo runtime library aimed at improving context switch speed of golang code running on Linux machines with a x86_64 CPU. More details are available here.

For more comparisons about performance penalties, these articles have information worth checking out:


Speculative execution side-channel vulnerabilities make a relatively new topic in InfoSec and more are likely to be found down the road. I will update this post and the linked Google Spreadsheet as new vulnerabilities are discovered.

Thanks for reading.


Got some words you want to share? Tell me!