enh: CVE-2022-40982 (Downfall) overhaul

built from commit e7fa2f30cc
 dated 2026-04-02 19:55:25 +0200
 by Stéphane Lesimple (speed47_github@speed47.net)

 - added `--kernel-config` support for all three Kconfig variants seen over all kernel versions up to now
- added `--kernel-map` support for `gds_select_mitigation` in `System.map`
- fixed the `--sysfs-only` mode
- added verbose information about remediation when `--explain` is used
- implemented `--paranoid mode`, requiring `GDS_MITIGATION_LOCKED` so that mitigation can't be disabled at runtime
- fixed offline mode (was wrongly looking at the system `dmesg`)
- better microcode status reporting (enabled, disabled, unsupported, unknown)
- fixed unknown (EOL) AVX-capable Intel family 6 CPUs now defaulting to affected
- fixed 2 missing known affected CPU models: INTEL_FAM6_SKYLAKE_L and INTEL_FAM6_SKYLAKE
- fixed case when we're running in a VM and the hypervisor doesn't let us read the MSR

spectre-meltdown-checker.sh

@@ -13,7 +13,7 @@
 #
 # Stephane Lesimple
 #
-VERSION='26.21.0402751'
+VERSION='26.21.0402757'
 
 # --- Common paths and basedirs ---
 readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
@@ -7565,6 +7565,13 @@ check_CVE_2022_40982_linux() {
         # all messages start with either "Not affected", "Vulnerable", "Mitigation",
         # or "Unknown"
         status=$ret_sys_interface_check_status
+        # Override: when the kernel says "Unknown: Dependent on hypervisor status", it
+        # gave up because it's running as a VM guest and can't read MCU_OPT_CTRL.
+        # We can often do better: the hypervisor may have exposed GDS_NO or GDS_CTRL
+        # to us via ARCH_CAPABILITIES, so let our own Phase 2 checks take over.
+        if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
+            status=UNK
+        fi
     fi
 
     if [ "$opt_sysfs_only" != 1 ]; then
@@ -7666,6 +7673,13 @@ check_CVE_2022_40982_linux() {
                 pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled"
                 explain "The GDS mitigation has been explicitly disabled (gather_data_sampling=off or mitigations=off).\n " \
                     "Remove the kernel parameter to re-enable it."
+            elif [ "$sys_interface_available" = 1 ] &&
+                echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
+                # We're in a VM guest, the kernel gave up, and we couldn't read the
+                # GDS MSR bits either (cap_gds_ctrl != 1). We genuinely can't tell.
+                pvulnstatus "$cve" UNK "Running in a VM, mitigation depends on the hypervisor"
+                explain "This system is running as a virtual machine guest. GDS mitigation must be handled by\n " \
+                    "the host hypervisor. Contact your VM/cloud provider to verify that GDS is mitigated on the host."
             elif [ -z "$kernel_gds" ]; then
                 pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation"
                 explain "Update both your CPU microcode (via BIOS/firmware update from your OEM) and your kernel\n " \