Home

Awesome

Spectre & Meltdown Checker

A shell script to assess your system's resilience against the several transient execution CVEs that were published since early 2018, and give you guidance as to how to mitigate them.

CVENameAliases
CVE-2017-5753Bounds Check BypassSpectre Variant 1
CVE-2017-5715Branch Target InjectionSpectre Variant 2
CVE-2017-5754Rogue Data Cache LoadMeltdown, Variant 3
CVE-2018-3640Rogue System Register ReadVariant 3a
CVE-2018-3639Speculative Store BypassVariant 4
CVE-2018-3615L1 Terminal FaultL1TF, Foreshadow (SGX)
CVE-2018-3620L1 Terminal FaultL1TF, Foreshadow-NG (OS)
CVE-2018-3646L1 Terminal FaultL1TF, Foreshadow-NG (VMM)
CVE-2018-12126Microarchitectural Store Buffer Data SamplingMSBDS, Fallout
CVE-2018-12130Microarchitectural Fill Buffer Data SamplingMFBDS, ZombieLoad
CVE-2018-12127Microarchitectural Load Port Data SamplingMLPDS, RIDL
CVE-2019-11091Microarchitectural Data Sampling Uncacheable MemoryMDSUM, RIDL
CVE-2019-11135TSX asynchronous abortTAA, ZombieLoad V2
CVE-2018-12207Machine Check Exception on Page Size ChangesMCEPSC, No eXcuses, iTLB Multihit
CVE-2020-0543Special Register Buffer Data SamplingSRBDS
CVE-2022-40982Gather Data SamplingGDS, Downfall
CVE-2023-20569Return Address SecurityInception, RAS, SRSO
CVE-2023-20593Cross-Process Information LeakZenbleed
CVE-2023-23583Redundant Prefix issueReptar

Supported operating systems:

For Linux systems, the tool will detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number and the distribution (such as Debian, Ubuntu, CentOS, RHEL, Fedora, openSUSE, Arch, ...), it also works if you've compiled your own kernel. More information here.

Other operating systems such as MacOS, Windows, ESXi, etc. will most likely never be supported.

Supported architectures:

Frequently Asked Questions (FAQ)

All these questions (and more) have detailed answers in the FAQ, please have a look!

Easy way to run the script

curl -L https://meltdown.ovh -o spectre-meltdown-checker.sh
wget https://meltdown.ovh -O spectre-meltdown-checker.sh
vim spectre-meltdown-checker.sh
chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh

Run the script in a docker container

With docker-compose

docker compose build
docker compose run --rm spectre-meltdown-checker

Note that on older versions of docker, docker-compose is a separate command, so you might need to replace the two docker compose occurences above by docker-compose.

Without docker-compose

docker build -t spectre-meltdown-checker .
docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker

Example of script output

haswell

ryzen

batch

Quick summary of the CVEs

CVE-2017-5753 bounds check bypass (Spectre Variant 1)

CVE-2017-5715 branch target injection (Spectre Variant 2)

CVE-2017-5754 rogue data cache load (Meltdown)

CVE-2018-3640 rogue system register read (Variant 3a)

CVE-2018-3639 speculative store bypass (Variant 4)

CVE-2018-3615 l1 terminal fault (Foreshadow-NG SGX)

CVE-2018-3620 l1 terminal fault (Foreshadow-NG SMM)

CVE-2018-3646 l1 terminal fault (Foreshadow-NG VMM)

CVE-2018-12126 [MSBDS] Microarchitectural Store Buffer Data Sampling (Fallout)

CVE-2018-12130 [MFBDS] Microarchitectural Fill Buffer Data Sampling (ZombieLoad)

CVE-2018-12127 [MLPDS] Microarchitectural Load Port Data Sampling (RIDL)

CVE-2019-11091 [MDSUM] Microarchitectural Data Sampling Uncacheable Memory (RIDL)

CVE-2019-11135 TSX Asynchronous Abort (TAA, ZombieLoad V2)

CVE-2018-12207 machine check exception on page size changes (No eXcuses, iTLB Multihit)

CVE-2020-0543 Special Register Buffer Data Sampling (SRBDS)

CVE-2022-40982 Gather Data Sampling (GDS, Downfall)

CVE-2023-20569 Return Address Security (Inception)

CVE-2023-20593 Cross-Process Information Leak (Zenbleed)

CVE-2023-23583 Redundant Prefix issue (Reptar)