enh: CVE-2022-40982 (Downfall) overhaul

built from commit e7fa2f30cc
 dated 2026-04-02 19:55:25 +0200
 by Stéphane Lesimple (speed47_github@speed47.net)

 - added `--kernel-config` support for all three Kconfig variants seen over all kernel versions up to now
- added `--kernel-map` support for `gds_select_mitigation` in `System.map`
- fixed the `--sysfs-only` mode
- added verbose information about remediation when `--explain` is used
- implemented `--paranoid mode`, requiring `GDS_MITIGATION_LOCKED` so that mitigation can't be disabled at runtime
- fixed offline mode (was wrongly looking at the system `dmesg`)
- better microcode status reporting (enabled, disabled, unsupported, unknown)
- fixed unknown (EOL) AVX-capable Intel family 6 CPUs now defaulting to affected
- fixed 2 missing known affected CPU models: INTEL_FAM6_SKYLAKE_L and INTEL_FAM6_SKYLAKE
- fixed case when we're running in a VM and the hypervisor doesn't let us read the MSR

.github/workflows/autoupdate.yml

@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '42 9 * * *'
 
+permissions:
+  pull-requests: write
+
 jobs:
   autoupdate:
     runs-on: ubuntu-latest
@@ -25,7 +28,6 @@ jobs:
         if: steps.diff.outputs.nbdiff != '0'
         uses: peter-evans/create-pull-request@v7
         with:
-          token: ${{ secrets.SMC_PR_PAT }}
           branch: autoupdate-fwdb
           commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
           title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"

.github/workflows/build.yml

@@ -0,0 +1,111 @@
+name: build
+
+on:
+  push:
+    branches:
+      - test
+      - source
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: true
+    - name: install prerequisites
+      run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
+    - name: build and check
+      run: |
+        make build fmt-check shellcheck
+        mv spectre-meltdown-checker.sh dist/
+    - name: check direct execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check docker compose run execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        docker compose build
+        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check docker run execution
+      run: |
+        expected=$(cat .github/workflows/expected_cve_count)
+        cd dist
+        docker build -t spectre-meltdown-checker .
+        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        if [ "$nb" -ne "$expected" ]; then
+          echo "Invalid number of CVEs reported: $nb instead of $expected"
+          exit 1
+        else
+          echo "OK $nb CVEs reported"
+        fi
+    - name: check fwdb update (separated)
+      run: |
+        cd dist
+        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
+        ./spectre-meltdown-checker.sh --update-fwdb; ret=$?
+        if [ "$ret" != 0 ]; then
+          echo "Non-zero return value: $ret"
+          exit 1
+        fi
+        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
+        if [ "$nbtmp1" != "$nbtmp2" ]; then
+          echo "Left temporary files!"
+          exit 1
+        fi
+        if ! [ -e ~/.mcedb ]; then
+          echo "No .mcedb file found after updating fwdb"
+          exit 1
+        fi
+    - name: check fwdb update (builtin)
+      run: |
+        cd dist
+        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
+        ./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$?
+        if [ "$ret" != 0 ]; then
+          echo "Non-zero return value: $ret"
+          exit 1
+        fi
+        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
+        if [ "$nbtmp1" != "$nbtmp2" ]; then
+          echo "Left temporary files!"
+          exit 1
+        fi
+    - name: create a pull request to ${{ github.ref_name }}-build
+      run: |
+        tmpdir=$(mktemp -d)
+        mv ./dist/* .github $tmpdir/
+        rm -rf ./dist
+        git fetch origin ${{ github.ref_name }}-build
+        git checkout -f ${{ github.ref_name }}-build
+        mv $tmpdir/* .
+        mkdir -p .github
+        rsync -vaP --delete $tmpdir/.github/ .github/
+        git add --all
+        echo =#=#= DIFF CACHED
+        git diff --cached
+        echo =#=#= STATUS
+        git status
+        echo =#=#= COMMIT
+        git config --global user.name "github-actions[bot]"
+        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b'
+        git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F -
+        git push

.github/workflows/check.yml

@@ -1,73 +0,0 @@
-name: CI
-
-on: [push, pull_request]
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v1
-    - name: install prerequisites
-      run: sudo apt-get update && sudo apt-get install -y shellcheck jq sqlite3 iucode-tool
-    - name: shellcheck
-      run: shellcheck -s sh spectre-meltdown-checker.sh
-    - name: check indentation
-      run: |
-        if [ $(grep -cPv "^\t*\S|^$" spectre-meltdown-checker.sh) != 0 ]; then
-          echo "Badly indented lines found:"
-          grep -nPv "^\t*\S|^$" spectre-meltdown-checker.sh
-          exit 1
-        else
-          echo "Indentation seems correct."
-        fi
-    - name: check direct execution
-      run: |
-        expected=19
-        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
-        if [ "$nb" -ne "$expected" ]; then
-          echo "Invalid number of CVEs reported: $nb instead of $expected"
-          exit 1
-        else
-          echo "OK $nb CVEs reported"
-        fi
-    - name: check docker compose run execution
-      run: |
-        expected=19
-        docker compose build
-        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
-        if [ "$nb" -ne "$expected" ]; then
-          echo "Invalid number of CVEs reported: $nb instead of $expected"
-          exit 1
-        else
-          echo "OK $nb CVEs reported"
-        fi
-    - name: check docker run execution
-      run: |
-        expected=19
-        docker build -t spectre-meltdown-checker .
-        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
-        if [ "$nb" -ne "$expected" ]; then
-          echo "Invalid number of CVEs reported: $nb instead of $expected"
-          exit 1
-        else
-          echo "OK $nb CVEs reported"
-        fi
-    - name: check fwdb update
-      run: |
-        nbtmp1=$(find /tmp 2>/dev/null | wc -l)
-        ./spectre-meltdown-checker.sh --update-fwdb; ret=$?
-        if [ "$ret" != 0 ]; then
-          echo "Non-zero return value: $ret"
-          exit 1
-        fi
-        nbtmp2=$(find /tmp 2>/dev/null | wc -l)
-        if [ "$nbtmp1" != "$nbtmp2" ]; then
-          echo "Left temporary files!"
-          exit 1
-        fi
-        if ! [ -e ~/.mcedb ]; then
-          echo "No .mcedb file found after updating fwdb"
-          exit 1
-        fi

.github/workflows/expected_cve_count

@@ -0,0 +1 @@
+21

.github/workflows/stale.yml

@@ -0,0 +1,33 @@
+name: 'Manage stale issues and PRs'
+
+on:
+  schedule:
+    - cron: '37 7 * * *'
+  workflow_dispatch:
+    inputs:
+      action:
+        description: "dry-run"
+        required: true
+        default: "dryrun"
+        type: choice
+        options:
+          - dryrun
+          - apply
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v10
+        with:
+          any-of-labels: 'needs-more-info,answered'
+          labels-to-remove-when-unstale: 'needs-more-info,answered'
+          days-before-stale: 30
+          days-before-close: 7
+          stale-issue-label: stale
+          remove-stale-when-updated: true
+          debug-only: ${{ case(inputs.action == 'apply', false, true) }}

spectre-meltdown-checker.sh

@@ -13,7 +13,7 @@
 #
 # Stephane Lesimple
 #
-VERSION='26.21.0402467'
+VERSION='26.21.0402757'
 
 # --- Common paths and basedirs ---
 readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
@@ -588,9 +588,12 @@ is_cpu_affected() {
             pr_debug "is_cpu_affected: downfall: not affected (GDS_NO)"
             _set_immune downfall
         elif [ "$cpu_family" = 6 ]; then
-            # list from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=64094e7e3118aff4b0be8ff713c242303e139834
+            # model blacklist from the kernel (arch/x86/kernel/cpu/common.c cpu_vuln_blacklist):
+            # 8974eb588283 (initial list) + c9f4c45c8ec3 (added Skylake/Skylake_L client)
             set -u
-            if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] ||
+            if [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_L" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE" ] ||
+                [ "$cpu_model" = "$INTEL_FAM6_SKYLAKE_X" ] ||
                 [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE_L" ] ||
                 [ "$cpu_model" = "$INTEL_FAM6_KABYLAKE" ] ||
                 [ "$cpu_model" = "$INTEL_FAM6_ICELAKE_L" ] ||
@@ -605,10 +608,12 @@ is_cpu_affected() {
                 _set_vuln downfall
             elif [ "$cap_avx2" = 0 ] && [ "$cap_avx512" = 0 ]; then
                 pr_debug "is_cpu_affected: downfall: no avx; immune"
+                _infer_immune downfall
             else
-                # old Intel CPU (not in their DB), not listed as being affected by the Linux kernel,
+                # Intel family 6 CPU with AVX2 or AVX512, not in the known-affected list
-                # but with AVX2 or AVX512: unclear for now
+                # and GDS_NO not set: assume affected (whitelist principle)
-                pr_debug "is_cpu_affected: downfall: unclear, defaulting to non-affected for now"
+                pr_debug "is_cpu_affected: downfall: unknown AVX-capable CPU, defaulting to affected"
+                _infer_vuln downfall
             fi
             set +u
         fi
@@ -7475,22 +7480,132 @@ check_CVE_2022_40982_linux() {
     if sys_interface_check "$VULN_SYSFS_BASE/gather_data_sampling"; then
         # this kernel has the /sys interface, trust it over everything
         sys_interface_available=1
+        #
+        # Kernel source inventory for gather_data_sampling (GDS/Downfall)
+        #
+        # --- sysfs messages ---
+        # all versions:
+        #   "Not affected"                                  (cpu_show_common, pre-existing)
+        #
+        # --- mainline ---
+        # 8974eb588283 (v6.5-rc6, initial GDS sysfs):
+        #   "Vulnerable"                                    (GDS_MITIGATION_OFF)
+        #   "Vulnerable: No microcode"                      (GDS_MITIGATION_UCODE_NEEDED)
+        #   "Mitigation: Microcode"                         (GDS_MITIGATION_FULL)
+        #   "Mitigation: Microcode (locked)"                (GDS_MITIGATION_FULL_LOCKED)
+        #   "Unknown: Dependent on hypervisor status"       (GDS_MITIGATION_HYPERVISOR)
+        # 553a5c03e90a (v6.5-rc6, added force option):
+        #   "Mitigation: AVX disabled, no microcode"        (GDS_MITIGATION_FORCE)
+        # 53cf5797f114 (v6.5-rc6, added CONFIG_GDS_FORCE_MITIGATION):
+        #   no string changes; default becomes FORCE when Kconfig enabled
+        # 81ac7e5d7417 (v6.5-rc6, KVM GDS_NO plumbing):
+        #   no string changes
+        # be83e809ca67 (v6.9-rc1, Kconfig rename):
+        #   no string changes; CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE
+        # 03267a534bb3 (v6.12-rc1, removed force Kconfig):
+        #   no string changes; CONFIG_MITIGATION_GDS_FORCE removed
+        # 225f2bd064c3 (v6.12-rc1, added on/off Kconfig):
+        #   no string changes; added CONFIG_MITIGATION_GDS (default y)
+        # 9dcad2fb31bd (v6.16-rc1, restructured select/apply):
+        #   no string changes; added GDS_MITIGATION_AUTO (internal, resolved before display)
+        #   split gds_select_mitigation() + gds_apply_mitigation()
+        # d4932a1b148b (v6.17-rc3, bug fix):
+        #   no string changes; CPUs without ARCH_CAP_GDS_CTRL were incorrectly classified
+        #   as OFF ("Vulnerable") instead of UCODE_NEEDED ("Vulnerable: No microcode"),
+        #   and locked-mitigation detection was skipped.
+        #   NOT backported to any stable or RHEL branch as of 2026-04.
+        #
+        # --- stable backports ---
+        # 5.4.y, 5.10.y, 5.15.y, 6.1.y, 6.6.y: same 7 strings as mainline.
+        #   use CONFIG_GDS_FORCE_MITIGATION; no GDS_MITIGATION_AUTO enum;
+        #   missing d4932a1b148b bug fix (UCODE_NEEDED vs OFF misclassification).
+        # 6.12.y: same 7 strings as mainline.
+        #   uses CONFIG_MITIGATION_GDS; no GDS_MITIGATION_AUTO enum;
+        #   missing d4932a1b148b bug fix.
+        #
+        # --- RHEL/CentOS ---
+        # centos7 (3.10), rocky8 (4.18): same 7 strings; CONFIG_GDS_FORCE_MITIGATION.
+        #   centos7 uses sprintf (not sysfs_emit) and __read_mostly.
+        # rocky9 (5.14): same 7 strings; CONFIG_MITIGATION_GDS (skipped FORCE rename).
+        # rocky10 (6.12): same 7 strings; CONFIG_MITIGATION_GDS; has gds_apply_mitigation().
+        #
+        # --- Kconfig symbols ---
+        # 53cf5797f114 (v6.5-rc6): CONFIG_GDS_FORCE_MITIGATION (default n)
+        # be83e809ca67 (v6.9-rc1): renamed to CONFIG_MITIGATION_GDS_FORCE
+        # 03267a534bb3 (v6.12-rc1): CONFIG_MITIGATION_GDS_FORCE removed
+        # 225f2bd064c3 (v6.12-rc1): CONFIG_MITIGATION_GDS (default y)
+        # vendor kernels: rocky9 uses CONFIG_MITIGATION_GDS on 5.14-based kernel
+        #
+        # --- kernel functions (for $opt_map / System.map) ---
+        # 8974eb588283 (v6.5-rc6): gds_select_mitigation(), update_gds_msr(),
+        #   gds_parse_cmdline(), gds_show_state()
+        # 81ac7e5d7417 (v6.5-rc6): gds_ucode_mitigated() (exported for KVM)
+        # 9dcad2fb31bd (v6.16-rc1): split into gds_select_mitigation() + gds_apply_mitigation()
+        # stable 5.4.y-6.12.y: same 5 functions (no gds_apply_mitigation)
+        # rocky10 (6.12): has gds_apply_mitigation()
+        #
+        # --- CPU affection logic (for is_cpu_affected) ---
+        # X86_BUG_GDS is set when ALL three conditions are true:
+        #   1. CPU matches model blacklist (cpu_vuln_blacklist[] in common.c)
+        #   2. ARCH_CAP_GDS_NO (bit 26 of IA32_ARCH_CAPABILITIES) is NOT set
+        #   3. X86_FEATURE_AVX is present (GATHER instructions require AVX)
+        # 8974eb588283 (v6.5-rc6, initial model list):
+        #   Intel: SKYLAKE_X, KABYLAKE_L, KABYLAKE, ICELAKE_L, ICELAKE_D,
+        #          ICELAKE_X, COMETLAKE, COMETLAKE_L, TIGERLAKE_L, TIGERLAKE,
+        #          ROCKETLAKE (all steppings)
+        # c9f4c45c8ec3 (v6.5-rc6, added missing client Skylake):
+        #   Intel: + SKYLAKE_L, SKYLAKE
+        # 159013a7ca18 (v6.10-rc1, ITS stepping splits):
+        #   no GDS model changes; some entries split by stepping for ITS but
+        #   GDS flag remains on all stepping ranges for these models
+        # immunity: ARCH_CAP_GDS_NO (bit 26 of IA32_ARCH_CAPABILITIES)
+        # feature dependency: requires AVX (if AVX absent, CPU is immune)
+        # vendor scope: Intel only
+        #
+        # all messages start with either "Not affected", "Vulnerable", "Mitigation",
+        # or "Unknown"
         status=$ret_sys_interface_check_status
+        # Override: when the kernel says "Unknown: Dependent on hypervisor status", it
+        # gave up because it's running as a VM guest and can't read MCU_OPT_CTRL.
+        # We can often do better: the hypervisor may have exposed GDS_NO or GDS_CTRL
+        # to us via ARCH_CAPABILITIES, so let our own Phase 2 checks take over.
+        if echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
+            status=UNK
+        fi
     fi
 
     if [ "$opt_sysfs_only" != 1 ]; then
         pr_info_nol "* GDS is mitigated by microcode: "
         if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then
             pstatus green OK "microcode mitigation is supported and enabled"
+        elif [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 1 ]; then
+            pstatus yellow NO "microcode mitigation is supported but disabled"
+        elif [ "$cap_gds_ctrl" = 0 ]; then
+            pstatus yellow NO "microcode doesn't support GDS mitigation"
         else
-            pstatus yellow NO
+            pstatus yellow UNKNOWN "couldn't read MSR for GDS capability"
         fi
+
         pr_info_nol "* Kernel supports software mitigation by disabling AVX: "
+        kernel_gds=''
+        kernel_gds_err=''
         if [ -n "$g_kernel_err" ]; then
             kernel_gds_err="$g_kernel_err"
         elif grep -q 'gather_data_sampling' "$g_kernel"; then
             kernel_gds="found gather_data_sampling in kernel image"
         fi
+        if [ -z "$kernel_gds" ] && [ -r "$opt_config" ]; then
+            if grep -q '^CONFIG_GDS_FORCE_MITIGATION=y' "$opt_config" ||
+                grep -q '^CONFIG_MITIGATION_GDS_FORCE=y' "$opt_config" ||
+                grep -q '^CONFIG_MITIGATION_GDS=y' "$opt_config"; then
+                kernel_gds="GDS mitigation config option found enabled in kernel config"
+            fi
+        fi
+        if [ -z "$kernel_gds" ] && [ -n "$opt_map" ]; then
+            if grep -q 'gds_select_mitigation' "$opt_map"; then
+                kernel_gds="found gds_select_mitigation in System.map"
+            fi
+        fi
         if [ -n "$kernel_gds" ]; then
             pstatus green YES "$kernel_gds"
         elif [ -n "$kernel_gds_err" ]; then
@@ -7502,6 +7617,7 @@ check_CVE_2022_40982_linux() {
         if [ -n "$kernel_gds" ]; then
             pr_info_nol "* Kernel has disabled AVX as a mitigation: "
 
+            if [ "$opt_live" = 1 ]; then
                 # Check dmesg message to see whether AVX has been disabled
                 dmesg_grep 'Microcode update needed! Disabling AVX as mitigation'
                 dmesgret=$?
@@ -7527,6 +7643,9 @@ check_CVE_2022_40982_linux() {
                 else
                     pstatus yellow NO "AVX support is enabled"
                 fi
+            else
+                pstatus blue N/A "not testable in offline mode"
+            fi
         fi
 
     elif [ "$sys_interface_available" = 0 ]; then
@@ -7540,17 +7659,41 @@ check_CVE_2022_40982_linux() {
         pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
     elif [ -z "$msg" ]; then
         # if msg is empty, sysfs check didn't fill it, rely on our own test
+        if [ "$opt_sysfs_only" != 1 ]; then
             if [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 0 ]; then
+                if [ "$opt_paranoid" = 1 ] && [ "$cap_gds_mitg_lock" != 1 ]; then
+                    pvulnstatus "$cve" VULN "Microcode mitigation is enabled but not locked"
+                    explain "In paranoid mode, the GDS mitigation must be locked to prevent a privileged attacker\n " \
+                        "(e.g. in a guest VM) from disabling it. Check your firmware/BIOS for an option to lock the\n " \
+                        "GDS mitigation, or update your microcode."
+                else
                     pvulnstatus "$cve" OK "Your microcode is up to date and mitigation is enabled"
+                fi
             elif [ "$cap_gds_ctrl" = 1 ] && [ "$cap_gds_mitg_dis" = 1 ]; then
                 pvulnstatus "$cve" VULN "Your microcode is up to date but mitigation is disabled"
+                explain "The GDS mitigation has been explicitly disabled (gather_data_sampling=off or mitigations=off).\n " \
+                    "Remove the kernel parameter to re-enable it."
+            elif [ "$sys_interface_available" = 1 ] &&
+                echo "$ret_sys_interface_check_fullmsg" | grep -qi 'Dependent on hypervisor'; then
+                # We're in a VM guest, the kernel gave up, and we couldn't read the
+                # GDS MSR bits either (cap_gds_ctrl != 1). We genuinely can't tell.
+                pvulnstatus "$cve" UNK "Running in a VM, mitigation depends on the hypervisor"
+                explain "This system is running as a virtual machine guest. GDS mitigation must be handled by\n " \
+                    "the host hypervisor. Contact your VM/cloud provider to verify that GDS is mitigated on the host."
             elif [ -z "$kernel_gds" ]; then
                 pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, and your kernel doesn't support mitigation"
+                explain "Update both your CPU microcode (via BIOS/firmware update from your OEM) and your kernel\n " \
+                    "to a version that supports GDS mitigation (Linux 6.5+, or check if your distro has a backport)."
             elif [ -z "$kernel_avx_disabled" ]; then
-            pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, your kernel support the mitigation but the script did not detect AVX as disabled by the kernel"
+                pvulnstatus "$cve" VULN "Your microcode doesn't mitigate the vulnerability, your kernel supports the mitigation but AVX was not disabled"
+                explain "Update your CPU microcode (via BIOS/firmware update from your OEM). If no microcode update\n " \
+                    "is available, use gather_data_sampling=force on the kernel command line to disable AVX as a workaround."
             else
                 pvulnstatus "$cve" OK "Your microcode doesn't mitigate the vulnerability, but your kernel has disabled AVX support"
             fi
+        else
+            pvulnstatus "$cve" "$status" "$ret_sys_interface_check_fullmsg"
+        fi
     else
         pvulnstatus "$cve" "$status" "$msg"
     fi