diff --git a/src/libs/350_cpu_detect2.sh b/src/libs/350_cpu_detect2.sh
index 77b6dca..9241702 100644
--- a/src/libs/350_cpu_detect2.sh
+++ b/src/libs/350_cpu_detect2.sh
@@ -147,8 +147,8 @@ parse_cpu_details() {
         fi
     fi
 
-    # if we got no cpu_ucode (e.g. we're in a vm), fall back to 0x0
-    : "${cpu_ucode:=0x0}"
+    # if we got no cpu_ucode (e.g. we're in a vm), leave it empty
+    # so that we can detect this case and avoid false positives
 
     # on non-x86 systems (e.g. ARM), these fields may not exist in cpuinfo, fall back to 0
     : "${cpu_family:=0}"
@@ -163,9 +163,11 @@ parse_cpu_details() {
         g_mockme=$(printf "%b\n%b" "$g_mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
     fi
 
-    echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$((cpu_ucode))
-    g_ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x pfid 0x%x" \
-        "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid" "$cpu_platformid")
+    if [ -n "$cpu_ucode" ]; then
+        echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$((cpu_ucode))
+    fi
+    g_ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%s cpuid 0x%x pfid 0x%x" \
+        "$cpu_family" "$cpu_model" "$cpu_stepping" "${cpu_ucode:-unknown}" "$cpu_cpuid" "$cpu_platformid")
 
     g_parse_cpu_details_done=1
 }
diff --git a/src/libs/360_cpu_smt.sh b/src/libs/360_cpu_smt.sh
index eb1ba5b..3a1f8eb 100644
--- a/src/libs/360_cpu_smt.sh
+++ b/src/libs/360_cpu_smt.sh
@@ -210,7 +210,7 @@ has_zenbleed_fixed_firmware() {
         model_high=$(echo "$tuple" | cut -d, -f2)
         fwver=$(echo "$tuple" | cut -d, -f3)
         if [ $((cpu_model)) -ge $((model_low)) ] && [ $((cpu_model)) -le $((model_high)) ]; then
-            if [ $((cpu_ucode)) -ge $((fwver)) ]; then
+            if [ -n "$cpu_ucode" ] && [ $((cpu_ucode)) -ge $((fwver)) ]; then
                 g_zenbleed_fw=0 # true
                 break
             else
diff --git a/src/libs/380_hw_microcode.sh b/src/libs/380_hw_microcode.sh
index 8e6f221..9245392 100644
--- a/src/libs/380_hw_microcode.sh
+++ b/src/libs/380_hw_microcode.sh
@@ -42,6 +42,10 @@ is_latest_known_ucode() {
         ret_is_latest_known_ucode_latest="couldn't get your cpuid"
         return 2
     fi
+    if [ -z "$cpu_ucode" ]; then
+        ret_is_latest_known_ucode_latest="couldn't get your microcode version"
+        return 2
+    fi
     ret_is_latest_known_ucode_latest="latest microcode version for your CPU model is unknown"
     if is_intel; then
         brand_prefix=I
diff --git a/src/vulns/CVE-2023-23583.sh b/src/vulns/CVE-2023-23583.sh
index f94ab74..af7a28c 100644
--- a/src/vulns/CVE-2023-23583.sh
+++ b/src/vulns/CVE-2023-23583.sh
@@ -24,7 +24,10 @@ check_CVE_2023_23583_linux() {
         pvulnstatus "$cve" VULN "your CPU is affected and no microcode update is available for your CPU stepping"
     else
         pr_info_nol "* Reptar is mitigated by microcode: "
-        if [ "$cpu_ucode" -lt "$g_reptar_fixed_ucode_version" ]; then
+        if [ -z "$cpu_ucode" ]; then
+            pstatus yellow UNKNOWN "couldn't get your microcode version"
+            pvulnstatus "$cve" UNK "couldn't detect microcode version to verify mitigation"
+        elif [ "$cpu_ucode" -lt "$g_reptar_fixed_ucode_version" ]; then
             pstatus yellow NO "You have ucode $(printf "0x%x" "$cpu_ucode") and version $(printf "0x%x" "$g_reptar_fixed_ucode_version") minimum is required"
             pvulnstatus "$cve" VULN "Your microcode is too old to mitigate the vulnerability"
         else
diff --git a/src/vulns/CVE-2024-45332.sh b/src/vulns/CVE-2024-45332.sh
index 762ca04..42b088c 100644
--- a/src/vulns/CVE-2024-45332.sh
+++ b/src/vulns/CVE-2024-45332.sh
@@ -31,7 +31,10 @@ check_CVE_2024_45332_linux() {
             "update is available for your specific CPU stepping."
     else
         pr_info_nol "* BPI is mitigated by microcode: "
-        if [ "$cpu_ucode" -lt "$g_bpi_fixed_ucode_version" ]; then
+        if [ -z "$cpu_ucode" ]; then
+            pstatus yellow UNKNOWN "couldn't get your microcode version"
+            pvulnstatus "$cve" UNK "couldn't detect microcode version to verify mitigation"
+        elif [ "$cpu_ucode" -lt "$g_bpi_fixed_ucode_version" ]; then
             pstatus yellow NO "You have ucode $(printf "0x%x" "$cpu_ucode") and version $(printf "0x%x" "$g_bpi_fixed_ucode_version") minimum is required"
             pvulnstatus "$cve" VULN "Your microcode is too old to mitigate the vulnerability"
             explain "CVE-2024-45332 (Branch Privilege Injection) is a race condition in the branch predictor\n" \