diff --git a/src/vulns/CVE-2018-12207.sh b/src/vulns/CVE-2018-12207.sh
index 8785c01..c8c4af4 100644
--- a/src/vulns/CVE-2018-12207.sh
+++ b/src/vulns/CVE-2018-12207.sh
@@ -64,17 +64,23 @@ check_CVE_2018_12207_linux() {
         pvulnstatus "$cve" OK "this system is not running a hypervisor"
     elif [ -z "$msg" ]; then
         # if msg is empty, sysfs check didn't fill it, rely on our own test
-        if [ "$opt_live" = 1 ]; then
-            # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
-            pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
-        else
-            if [ -n "$kernel_itlbmh" ]; then
-                pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation"
-            else
+        if [ "$opt_sysfs_only" != 1 ]; then
+            if [ "$opt_live" = 1 ]; then
+                # if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old
                 pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
+            else
+                if [ -n "$kernel_itlbmh" ]; then
+                    pvulnstatus "$cve" OK "Your kernel supports iTLB Multihit mitigation"
+                else
+                    pvulnstatus "$cve" VULN "Your kernel doesn't support iTLB Multihit mitigation, update it"
+                fi
             fi
+        else
+            # --sysfs-only: sysfs was available (otherwise msg would be set), use its result
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
         fi
     else
+        # msg was set explicitly: either sysfs-not-available error, or a sysfs override
         pvulnstatus "$cve" "$status" "$msg"
     fi
 }
diff --git a/src/vulns/CVE-2018-3620.sh b/src/vulns/CVE-2018-3620.sh
index 4361450..186a1d9 100644
--- a/src/vulns/CVE-2018-3620.sh
+++ b/src/vulns/CVE-2018-3620.sh
@@ -63,16 +63,22 @@ check_CVE_2018_3620_linux() {
         pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
     elif [ -z "$msg" ]; then
         # if msg is empty, sysfs check didn't fill it, rely on our own test
-        if [ "$pteinv_supported" = 1 ]; then
-            if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
-                pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
+        if [ "$opt_sysfs_only" != 1 ]; then
+            if [ "$pteinv_supported" = 1 ]; then
+                if [ "$pteinv_active" = 1 ] || [ "$opt_live" != 1 ]; then
+                    pvulnstatus "$cve" OK "PTE inversion mitigates the vulnerability"
+                else
+                    pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
+                fi
             else
-                pvulnstatus "$cve" VULN "Your kernel supports PTE inversion but it doesn't seem to be enabled"
+                pvulnstatus "$cve" VULN "Your kernel doesn't support PTE inversion, update it"
             fi
         else
-            pvulnstatus "$cve" VULN "Your kernel doesn't support PTE inversion, update it"
+            # --sysfs-only: sysfs was available (otherwise msg would be set), use its result
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
         fi
     else
+        # msg was set explicitly: either sysfs-not-available error, or a sysfs override
         pvulnstatus "$cve" "$status" "$msg"
     fi
 }