release v26.33.0420460 (#567 )

workflow: expose reconsider_age_days input + env var
chore: workflow: add manual model + window_hours inputs, add reconsider
2026-04-23 09:03:19 +02:00 · 2026-04-20 15:18:11 +00:00 · 2026-04-19 14:46:56 +02:00 · 2026-04-19 12:55:03 +02:00 · 2026-04-19 11:14:21 +02:00 · 2026-04-18 16:23:47 +02:00
6 changed files with 264 additions and 221 deletions
--- a/.github/workflows/autoupdate.yml
+++ b/.github/workflows/autoupdate.yml
@@ -0,0 +1,36 @@
 name: autoupdate
 on:
  workflow_dispatch:
  schedule:
    - cron: '42 9 * * *'
 permissions:
  pull-requests: write
 jobs:
  autoupdate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install prerequisites
        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends iucode-tool sqlite3 unzip
      - name: Update microcode versions
        run: ./spectre-meltdown-checker.sh --update-builtin-fwdb
      - name: Check git diff
        id: diff
        run: |
          echo change="$(git diff spectre-meltdown-checker.sh | awk '/MCEDB/ { if(V) { print V" to "$4; exit } else { V=$4 } }')" >> "$GITHUB_OUTPUT"
          echo nbdiff="$(git diff spectre-meltdown-checker.sh | grep -cE -- '^\+# [AI],')" >> "$GITHUB_OUTPUT"
          git diff
          cat "$GITHUB_OUTPUT"
      - name: Create Pull Request if needed
        if: steps.diff.outputs.nbdiff != '0'
        uses: peter-evans/create-pull-request@v7
        with:
          branch: autoupdate-fwdb
          commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
          title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
          body: |
            Automated PR to update fwdb from ${{ steps.diff.outputs.change }}
            Detected ${{ steps.diff.outputs.nbdiff }} microcode changes
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,81 +25,21 @@ jobs:
        mv spectre-meltdown-checker.sh dist/
    - name: check direct execution
      run: |
        set -x
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
-
+        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
        json=$(sudo ./spectre-meltdown-checker.sh --batch json || true)
        # Validate JSON is well-formed (and show it if not)
        echo "$json" | jq . >/dev/null || {
          echo "Invalid JSON produced by spectre-meltdown-checker.sh"
          echo "$json"
          exit 1
        }
        # Validate required keys exist
        for key in meta system cpu cpu_microcode vulnerabilities; do
          echo "$json" | jq -e ".$key" >/dev/null || {
            echo "Missing top-level key: $key"
            echo "$json" | jq .
            exit 1
          }
        done
        # Use -r to get raw scalars (no quotes)
        fmtver=$(echo "$json" | jq -r '.meta.format_version // empty')
        if [ "$fmtver" != "1" ]; then
          echo "Unexpected format_version: $fmtver"
          echo "$json" | jq .
          exit 1
        fi
        run_as_root=$(echo "$json" | jq -r '.meta.run_as_root // empty')
        if [ "$run_as_root" != "true" ]; then
          echo "Expected run_as_root=true, got: $run_as_root"
          echo "$json" | jq .
          exit 1
        fi
        mocked=$(echo "$json" | jq -r '.meta.mocked // "false"')
        if [ "$mocked" = "true" ]; then
          echo "mocked=true must never appear in production"
          echo "$json" | jq .
          exit 1
        fi
        # Count CVEs robustly (as a number)
        nb=$(echo "$json" | jq -r '[.vulnerabilities[].cve] | length')
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          echo "$json" | jq '.vulnerabilities[].cve'
          exit 1
        else
          echo "OK $nb CVEs reported"
        fi
        # Validate json-terse backward compatibility
        nb_terse=$(sudo ./spectre-meltdown-checker.sh --batch json-terse | jq -r 'map(.CVE) | length')
        if [ "$nb_terse" -ne "$expected" ]; then
          echo "json-terse backward compat broken: $nb_terse CVEs instead of $expected"
          exit 1
        else
          echo "OK json-terse backward compat: $nb_terse CVEs"
        fi
    - name: check docker compose run execution
      run: |
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
        docker compose build
-        json=$(docker compose run --rm spectre-meltdown-checker --batch json || true)
+        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        echo "$json" | jq . > /dev/null
        fmtver=$(echo "$json" | jq '.meta.format_version')
        if [ "$fmtver" != "1" ]; then
          echo "Unexpected format_version: $fmtver"
          exit 1
        fi
        nb=$(echo "$json" | jq '.vulnerabilities[].cve' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
@@ -111,14 +51,7 @@ jobs:
        expected=$(cat .github/workflows/expected_cve_count)
        cd dist
        docker build -t spectre-meltdown-checker .
-        json=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json || true)
+        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        echo "$json" | jq . > /dev/null
        fmtver=$(echo "$json" | jq '.meta.format_version')
        if [ "$fmtver" != "1" ]; then
          echo "Unexpected format_version: $fmtver"
          exit 1
        fi
        nb=$(echo "$json" | jq '.vulnerabilities[].cve' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
@@ -159,19 +92,15 @@ jobs:
        fi
    - name: create a pull request to ${{ github.ref_name }}-build
      run: |
        # all the files in dist/* and .github/* must be moved as is to the -build branch root, move them out for now:
        tmpdir=$(mktemp -d)
        mv ./dist/* .github $tmpdir/
        rm -rf ./dist
        git fetch origin ${{ github.ref_name }}-build
        git checkout -f ${{ github.ref_name }}-build
        rm -rf doc/
        mv $tmpdir/* .
-        rm -rf src/ scripts/ img/
+        rm -rf src/
        mkdir -p .github
        rsync -vaP --delete $tmpdir/.github/ .github/
        git add --all
        echo =#=#= DIFF CACHED
        git diff --cached
--- a/.github/workflows/expected_cve_count
+++ b/.github/workflows/expected_cve_count
@@ -1 +1 @@
-32
+26
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,33 @@
 name: 'Manage stale issues and PRs'
 on:
  schedule:
    - cron: '37 7 * * *'
  workflow_dispatch:
    inputs:
      action:
        description: "dry-run"
        required: true
        default: "dryrun"
        type: choice
        options:
          - dryrun
          - apply
 permissions:
  issues: write
  pull-requests: write
 jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@v10
        with:
          any-of-labels: 'needs-more-info,answered'
          labels-to-remove-when-unstale: 'needs-more-info,answered'
          days-before-stale: 30
          days-before-close: 7
          stale-issue-label: stale
          remove-stale-when-updated: true
          debug-only: ${{ case(inputs.action == 'dryrun', true, false) }}
--- a/.github/workflows/vuln-watch.yml
+++ b/.github/workflows/vuln-watch.yml
@@ -0,0 +1,190 @@
 name: Online search for vulns
 on:
  schedule:
    - cron: '42 8 * * *'
  workflow_dispatch:
    inputs:
      model:
        description: 'Claude model to use (cron runs default to Sonnet)'
        required: false
        type: choice
        default: claude-sonnet-4-6
        options:
          - claude-sonnet-4-6
          - claude-opus-4-7
          - claude-haiku-4-5-20251001
      window_hours:
        description: 'Lookback window in hours (cron runs use 25)'
        required: false
        type: string
        default: '25'
      reconsider_age_days:
        description: 'Only reconsider backlog entries last reviewed ≥ N days ago (0 = all, default 7)'
        required: false
        type: string
        default: '7'
 permissions:
  contents: read
  actions: read           # needed to list/download previous run artifacts
  id-token: write         # needed by claude-code-action for OIDC auth
 concurrency:
  group: vuln-watch
  cancel-in-progress: true
 jobs:
  watch:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    steps:
      # The scripts driving this workflow live on the `vuln-watch` branch so
      # they don't clutter master (which is what ships to production). The
      # workflow file itself MUST stay on the default branch, as GitHub only
      # honors `schedule:` triggers on the default branch.
      - name: Checkout vuln-watch branch (scripts + prompt)
        uses: actions/checkout@v5
        with:
          ref: vuln-watch
          fetch-depth: 1
          persist-credentials: false
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Install Python dependencies
        run: python -m pip install --quiet feedparser
      # ---- Load previous state ---------------------------------------------
      # Find the most recent successful run of THIS workflow (other than the
      # current one) and pull its `vuln-watch-state` artifact. On the very
      # first run there will be none — that's fine, we start empty.
      - name: Find previous successful run id
        id: prev
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -e
          run_id=$(gh run list \
            --workflow="${{ github.workflow }}" \
            --status=success \
            --limit 1 \
            --json databaseId \
            --jq '.[0].databaseId // empty')
          echo "run_id=${run_id}" >> "$GITHUB_OUTPUT"
          if [ -n "$run_id" ]; then
            echo "Found previous successful run: $run_id"
          else
            echo "No previous successful run — starting from empty state."
          fi
      - name: Download previous state artifact
        if: steps.prev.outputs.run_id != ''
        uses: actions/download-artifact@v5
        continue-on-error: true   # tolerate retention expiry
        with:
          name: vuln-watch-state
          path: state/
          run-id: ${{ steps.prev.outputs.run_id }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
      # ---- Fetch + diff (token-free; runs every time) ---------------------
      # Performs conditional GETs (ETag / If-Modified-Since) against every
      # source, parses RSS/Atom/HTML, dedups against state.seen + state.aliases,
      # applies the time-window filter, and emits new_items.json.
      # Updates state.sources (HTTP cache metadata + per-source high-water
      # marks) in place so the cache survives even when Claude doesn't run.
      - name: Fetch + diff all sources
        id: diff
        env:
          SCAN_DATE: ${{ github.run_started_at }}
          # Cron runs have no `inputs` context, so the fallback kicks in.
          WINDOW_HOURS:         ${{ inputs.window_hours || '25' }}
          RECONSIDER_AGE_DAYS:  ${{ inputs.reconsider_age_days || '7' }}
        run: python -m scripts.vuln_watch.fetch_and_diff
      # ---- Fetch checker code so Claude can grep it for coverage ---------
      # The orphan vuln-watch branch has none of the actual checker code,
      # so we pull the `test` branch (the dev branch where coded-but-
      # unreleased CVE checks live) into ./checker/. The prompt tells
      # Claude this is the canonical source of truth for "is CVE-X already
      # implemented?". Only fetched on days with something to classify.
      - name: Checkout checker code (test branch) for coverage grep
        if: steps.diff.outputs.new_count != '0' || steps.diff.outputs.reconsider_count != '0'
        uses: actions/checkout@v5
        with:
          ref: test
          path: checker
          fetch-depth: 1
          persist-credentials: false
      # ---- Classify new items with Claude (skipped when nothing is new) ---
      # Model selection: a manual workflow_dispatch run picks from a dropdown
      # (defaulting to Sonnet). Scheduled cron runs have no `inputs` context,
      # so the `|| 'claude-sonnet-4-6'` fallback kicks in — cron always uses
      # Sonnet to keep the daily cost floor low.
      - name: Run classifier with Claude
        id: classify
        if: steps.diff.outputs.new_count != '0' || steps.diff.outputs.reconsider_count != '0'
        uses: anthropics/claude-code-action@v1
        env:
          SCAN_DATE: ${{ github.run_started_at }}
        with:
          prompt: |
            Read the full task instructions from scripts/daily_vuln_watch_prompt.md
            and execute them end-to-end. Your input is new_items.json (already
            deduped, windowed, and pre-filtered — do NOT re-fetch sources).
            Write the three watch_${TODAY}_*.md files and classifications.json.
            Use $SCAN_DATE as the canonical timestamp.
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          # model + tool allowlist pass through claude_args (v1 dropped the
          # dedicated `model:` and `allowed_tools:` inputs). Job-level
          # `timeout-minutes: 20` above bounds total runtime.
          claude_args: |
            --model ${{ inputs.model || 'claude-sonnet-4-6' }}
            --allowedTools "Read,Write,Edit,Bash,Grep,Glob,WebFetch"
      - name: Upload Claude execution log
        if: ${{ always() && steps.classify.outputs.execution_file != '' }}
        uses: actions/upload-artifact@v5
        with:
          name: claude-execution-log-${{ github.run_id }}
          path: ${{ steps.classify.outputs.execution_file }}
          retention-days: 30
          if-no-files-found: warn
      # ---- Merge classifications back into state --------------------------
      # Also writes stub watch_*.md files if the classify step was skipped, so
      # the report artifact is consistent across runs.
      - name: Merge classifications into state
        if: always()
        env:
          SCAN_DATE: ${{ github.run_started_at }}
        run: python -m scripts.vuln_watch.merge_state
      - name: Upload new state artifact
        if: always()
        uses: actions/upload-artifact@v5
        with:
          name: vuln-watch-state
          path: state/seen.json
          retention-days: 90
          if-no-files-found: error
      - name: Upload daily report
        if: always()
        uses: actions/upload-artifact@v5
        with:
          name: vuln-watch-report-${{ github.run_id }}
          path: |
            watch_*.md
            current_toimplement.md
            current_tocheck.md
            new_items.json
            classifications.json
          retention-days: 90
          if-no-files-found: warn
--- a/FAQ.md
+++ b/FAQ.md
@@ -1,145 +0,0 @@
 # Questions
 - [What to expect from this tool?](#what-to-expect-from-this-tool)
 - [Why was this script written in the first place?](#why-was-this-script-written-in-the-first-place)
 - [Why are those vulnerabilities so different than regular CVEs?](#why-are-those-vulnerabilities-so-different-than-regular-cves)
 - [What do "affected", "vulnerable" and "mitigated" mean exactly?](#what-do-affected-vulnerable-and-mitigated-mean-exactly)
 - [What are the main design decisions regarding this script?](#what-are-the-main-design-decisions-regarding-this-script)
 - [Everything is indicated in `sysfs` now, is this script still useful?](#everything-is-indicated-in-sysfs-now-is-this-script-still-useful)
 - [How does this script work?](#how-does-this-script-work)
 - [Which BSD OSes are supported?](#which-bsd-oses-are-supported)
 - [Why is my OS not supported?](#why-is-my-os-not-supported)
 - [The tool says there is an updated microcode for my CPU, but I don't have it!](#the-tool-says-there-is-an-updated-microcode-for-my-cpu-but-i-dont-have-it)
 - [The tool says that I need a more up-to-date microcode, but I have the more recent version!](#the-tool-says-that-i-need-a-more-up-to-date-microcode-but-i-have-the-more-recent-version)
 - [Which rules are governing the support of a CVE in this tool?](#which-rules-are-governing-the-support-of-a-cve-in-this-tool)
 # Answers
 ## What to expect from this tool?
 This tool does its best to determine where your system stands on each of the collectively named [transient execution](https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability) vulnerabilities (also sometimes called "speculative execution" vulnerabilities) that were made public since early 2018. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying if your system is affected, and if it is, checks whether it has the known mitigations in place to avoid being vulnerable.
 Some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).
 Please also note that for Spectre vulnerabilities, all software can possibly be exploited, this tool only verifies that the kernel (which is the core of the system) you're using has the proper protections in place. Verifying all the other software is out of the scope of this tool. As a general measure, ensure you always have the most up to date stable versions of all the software you use, especially for those who are exposed to the world, such as network daemons and browsers.
 This tool has been released in the hope that it'll be useful, but don't use it to jump to definitive conclusions about your security: hardware vulnerabilities are [complex beasts](#why-are-those-vulnerabilities-so-different-than-regular-cves), and collective understanding of each vulnerability is evolving with time.
 ## Why was this script written in the first place?
 The first commit of this script is dated *2018-01-07*, only 4 days after the world first heard about the Meltdown and the Spectre attacks. With those attacks disclosure, a _whole new range of vulnerabilities_ that were previously thought to be mostly theoretical and only possible in very controlled environments (labs) - hence of little interest for most except researchers - suddenly became completely mainstream and apparently trivial to conduct on an immensely large number of systems.
 On the few hours and days after that date, the whole industry went crazy. Proper, verified information about these vulnerabilities was incredibly hard to find, because before this, even the CPU vendors never had to deal with managing security vulnerabilities at scale, as software vendors do since decades. There were a lot of FUD, and the apparent silence of the vendors was enough for most to fear the worst. The whole industry had everything to learn about this new type of vulnerabilities. However, most systems administrators had a few simple questions:
 - Am **I** vulnerable? And if yes,
 - What do I have to do to mitigate these vulnerabilities on **my** system?
 Unfortunately, answering those questions was very difficult (and still is to some extent), even if the safe answer to the first question was "you probably are". This script was written to try to give simple answers to those simple questions, and was made to evolve as the information about these vulnerabilities became available. On the first few days, there was several new versions published **per day**.
 ## Why are those vulnerabilities so different than regular CVEs?
 Those are hardware vulnerabilities, while most of the CVEs we see everyday are software vulnerabilities. A quick comparison would be:
 Software vulnerability:
 - Can be fixed? Yes.
 - How to fix? Update the software (or uninstall it!)
 Hardware vulnerability:
 - Can be fixed? No, only mitigated (or buy new hardware!)
 - How to ~~fix~~ mitigate? In the worst case scenario, 5 "layers" need to be updated: the microcode/firmware, the host OS kernel, the hypervisor, the VM OS kernel, and possibly all the software running on the machine. Sometimes only a subset of those layers need to be updated. In yet other cases, there can be several possible mitigations for the same vulnerability, implying different layers. Yes, it can get horribly complicated.
 A more detailed video explanation is available here: https://youtu.be/2gB9U1EcCss?t=425
 ## What do "affected", "vulnerable" and "mitigated" mean exactly?
 - **Affected** means that your CPU's hardware, as it went out of the factory, is known to be concerned by a specific vulnerability, i.e. the vulnerability applies to your hardware model. Note that it says nothing about whether a given vulnerability can actually be used to exploit your system. However, an unaffected CPU will never be vulnerable, and doesn't need to have mitigations in place.
 - **Vulnerable** implies that you're using an **affected** CPU, and means that a given vulnerability can be exploited on your system, because no (or insufficient) mitigations are in place.
 - **Mitigated** implies that a previously **vulnerable** system has followed all the steps (updated all the required layers) to ensure a given vulnerability cannot be exploited. About what "layers" mean, see [the previous question](#why-are-those-vulnerabilities-so-different-than-regular-cves).
 ## What are the main design decisions regarding this script?
 There are a few rules that govern how this tool is written.
 1) It should be okay to run this script in a production environment. This implies, but is not limited to:
   * 1a. Never modify the system it's running on, and if it needs to e.g. load a kernel module it requires, that wasn't loaded before it was launched, it'll take care to unload it on exit
   * 1b. Never attempt to "fix" or "mitigate" any vulnerability, or modify any configuration. It just reports what it thinks is the status of your system. It leaves all decisions to the sysadmin.
   * 1c. Never attempt to run any kind of exploit to tell whether a vulnerability is mitigated, because it would violate 1a), could lead to unpredictable system behavior, and might even lead to wrong conclusions, as some PoC must be compiled with specific options and prerequisites, otherwise giving wrong information (especially for Spectre). If you want to run PoCs, do it yourself, but please read carefully about the PoC and the vulnerability. PoCs about a hardware vulnerability are way more complicated and prone to false conclusions than PoCs for software vulnerabilities.
 2) Never look at the kernel version to tell whether it supports mitigation for a given vulnerability. This implies never hardcoding version numbers in the script. This would defeat the purpose: this script should be able to detect mitigations in unknown kernels, with possibly backported or forward-ported patches. Also, don't believe what `sysfs` says, when possible. See the next question about this.
 3) Never look at the microcode version to tell whether it has the proper mechanisms in place to support mitigation for a given vulnerability. This implies never hardcoding version numbers in the script. Instead, look for said mechanisms, as the kernel would do.
 4) When a CPU is not known to be explicitly unaffected by a vulnerability, make the assumption that it is. This strong design choice has it roots in the early speculative execution vulnerability days (see [this answer](#why-was-this-script-written-in-the-first-place)), and is still a good approach as of today.
 ## Everything is indicated in `sysfs` now, is this script still useful?
 A lot as changed since 2018. Nowadays, the industry adapted and this range of vulnerabilities is almost "business as usual", as software vulnerabilities are. However, due to their complexity, it's still not as easy as just checking a version number to ensure a vulnerability is closed.
 Granted, we now have a standard way under Linux to check whether our system is affected, vulnerable, mitigated against most of these vulnerabilities. By having a look at the `sysfs` hierarchy, and more precisely the `/sys/devices/system/cpu/vulnerabilities/` folder, one can have a pretty good insight about its system state for each of the listed vulnerabilities. Note that the output can be a little different with some vendors (e.g. Red Hat has some slightly different output than the vanilla kernel for some vulnerabilities), but it's still a gigantic leap forward, given where we were in 2018 when this script was started, and it's very good news. The kernel is the proper place to have this because the kernel knows everything about itself (the mitigations it might have), and the CPU (its model, and microcode features that are exposed). Note however that some vulnerabilities are not reported through this file hierarchy at all, such as Zenbleed.
 However I see a few reasons why this script might still be useful to you, and that's why its development has not halted when the `sysfs` hierarchy came out:
 - A given version of the kernel doesn't have knowledge about the future. To put it in another way: a given version of the kernel only has the understanding of a vulnerability available at the time it was compiled. Let me explain this: when a new vulnerability comes out, new versions of the microcode and kernels are released, with mitigations in place. With such a kernel, a new `sysfs` entry will appear. However, after a few weeks or months, corner cases can be discovered, previously-thought unaffected CPUs can turn out to be affected in the end, and sometimes mitigations can end up being insufficient.  Of course, if you're always running the latest kernel version from kernel.org, this issue might be limited for you. The spectre-meltdown-checker script doesn't depend on a kernel's knowledge and understanding of a vulnerability to compute its output. That is, unless you tell it to (using the `--sysfs-only` option).
 - Mitigating a vulnerability completely can sometimes be tricky, and have a lot of complicated prerequisites, depending on your kernel version, CPU vendor, model and even sometimes stepping, CPU microcode, hypervisor support, etc. The script gives a very detailed insight about each of the prerequisites of mitigation for every vulnerability, step by step, hence pointing out what is missing on your system as a whole to completely mitigate an issue.
 - The script can be pointed at a kernel image, and will deep dive into it, telling you if this kernel will mitigate vulnerabilities that might be present on your system. This is a good way to verify before booting a new kernel, that it'll mitigate the vulnerabilities you expect it to, especially if you modified a few config options around these topics.
 - The script will also work regardless of the custom patches that might be integrated in the kernel you're running (or you're pointing it to, in offline mode), and completely ignores the advertised kernel version, to tell whether a given kernel mitigates vulnerabilities. This is especially useful for non-vanilla kernel, where patches might be backported, sometimes silently (this has already happened, too).
 - Educational purposes: the script gives interesting insights about a vulnerability, and how the different parts of the system work together to mitigate it.
 There are probably other reasons, but that are the main ones that come to mind. In the end, of course, only you can tell whether it's useful for your use case ;)
 ## How does this script work?
 On one hand, the script gathers information about your CPU, and the features exposed by its microcode. To do this, it uses the low-level CPUID instruction (through the `cpuid` kernel module under Linux, and the `cpucontrol` tool under BSD), and queries to the MSR registers of your CPU (through the `msr` kernel module under Linux, and the `cpucontrol` tool under BSD).
 On another hand, the script looks into the kernel image your system is running on, for clues about the mitigations it supports. Of course, this is very specific for each operating system, even if the implemented mitigation is functionally the same, the actual code is completely specific. As you can imagine, the Linux kernel code has a few in common with a BSD kernel code, for example. Under Linux, the script supports looking into the kernel image, and possibly the System.map and kernel config file, if these are available. Under BSD, it looks into the kernel file only.
 Then, for each vulnerability it knows about, the script decides whether your system is [affected, vulnerable, and mitigated](#what-do-affected-vulnerable-and-mitigated-mean-exactly) against it, using the information it gathered about your hardware and your kernel.
 ## Which BSD OSes are supported?
 For the BSD range of operating systems, the script will work as long as the BSD you're using supports `cpuctl` and `linprocfs`. This is not the case for OpenBSD for example. Known BSD flavors having proper support are: FreeBSD, NetBSD, DragonflyBSD. Derivatives of those should also work. To know why other BSDs will likely never be supported, see [why is my OS not supported?](#why-is-my-os-not-supported).
 ## Why is my OS not supported?
 This tool only supports Linux, and [some flavors of BSD](#which-bsd-oses-are-supported). Other OSes will most likely never be supported, due to [how this script works](#how-does-this-script-work). It would require implementing these OSes specific way of querying the CPU. It would also require to get documentation (if available) about how this OS mitigates each vulnerability, down to this OS kernel code, and if documentation is not available, reverse-engineer the difference between a known old version of a kernel, and a kernel that mitigates a new vulnerability. This means that all the effort has to be duplicated times the number of supported OSes, as everything is specific, by construction. It also implies having a deep understanding of every OS, which takes years to develop. However, if/when other tools appear for other OSes, that share the same goal of this one, they might be listed here as a convenience.
 ## The tool says there is an updated microcode for my CPU, but I don't have it!
 Even if your operating system is fully up to date, the tool might still tell you that there is a more recent microcode version for your CPU. Currently, it uses (and merges) information from 4 sources:
 - The official [Intel microcode repository](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files)
 - The awesome platomav's [MCExtractor database](https://github.com/platomav/MCExtractor) for non-Intel CPUs
 - The official [linux-firmware](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git) repository for AMD
 - Specific Linux kernel commits that sometimes hardcode microcode versions, such as for [Zenbleed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=522b1d69219d8f083173819fde04f994aa051a98) or for the bad [Spectre](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/cpu/intel.c#n141) microcodes
 Generally, it means a more recent version of the microcode has been seen in the wild. However, fully public availability of this microcode might be limited yet, or your OS vendor might have chosen not to ship this new version (yet), maybe because it's currently being tested, or for other reasons. This tool can't tell you when or if this will be the case. You should ask your vendor about it. Technically, you can still go and upgrade your microcode yourself, and use this tool to confirm whether you did it successfully. Updating the microcode for you is out of the scope of this tool, as this would violate [rule 1b](#what-are-the-main-design-decisions-regarding-this-script).
 ## The tool says that I need a more up-to-date microcode, but I have the more recent version!
 This can happen for a few reasons:
 - Your CPU is no longer supported by the vendor. In that case, new versions of the microcode will never be published, and vulnerabilities requiring microcode features will never be fixed. On most of these vulnerabilities, you'll have no way to mitigate the issue on a vulnerable system, appart from buying a more recent CPU. Sometimes, you might be able to mitigate the issue by disabling a CPU feature instead (often at the cost of speed). When this is the case, the script will list this as one of the possible mitigations for the vulnerability.
 - The vulnerability is recent, and your CPU has not yet received a microcode update for the vendor. Often, these updates come in batches, and it can take several batches to cover all the supported CPUs.
 In both cases, you can contact your vendor to know whether there'll be an update or not, and if yes, when. For Intel, at the time this FAQ entry was written, such guidance was [available here](https://software.intel.com/content/www/us/en/develop/topics/software-security-guidance/processors-affected-consolidated-product-cpu-model.html).
 ## Which rules are governing the support of a CVE in this tool?
 On the early days, it was easy: just Spectre and Meltdown (hence the tool name), because that's all we had. Now that this range of vulnerability is seeing a bunch of newcomers every year, this question is legitimate.
 To stick with this tool's goal, a good indication as to why a CVE should be supported, is when mitigating it requires either kernel modifications, microcode modifications, or both.
 Counter-examples include (non-exhaustive list):
 - [CVE-2019-14615](https://github.com/speed47/spectre-meltdown-checker/issues/340), mitigating this issue is done by updating the Intel driver. This is out of the scope of this tool.
 - [CVE-2019-15902](https://github.com/speed47/spectre-meltdown-checker/issues/304), this CVE is due to a bad backport in the stable kernel. If the faulty backport was part of the mitigation of another supported CVE, and this bad backport was detectable (without hardcoding kernel versions, see [rule 2](#why-are-those-vulnerabilities-so-different-than-regular-cves)), it might have been added as a bullet point in the concerned CVE's section in the tool. However, this wasn't the case.
 - The "[Take A Way](https://github.com/speed47/spectre-meltdown-checker/issues/344)" vulnerability, AMD said that they believe this is not a new attack, hence there were no microcode and no kernel modification made. As there is nothing to look for, this is out of the scope of this tool.
 - [CVE-2020-0550](https://github.com/speed47/spectre-meltdown-checker/issues/347), the vendor thinks this is hardly exploitable in the wild, and as mitigations would be too performance impacting, as a whole the industry decided to not address it. As there is nothing to check for, this is out of the scope of this tool.
 - [CVE-2020-0551](https://github.com/speed47/spectre-meltdown-checker/issues/348), the industry decided to not address it, as it is believed mitigations for other CVEs render this attack practically hard to make, Intel just released an updated SDK for SGX to help mitigate the issue, but this is out of the scope of this tool.
 Look for the [information](https://github.com/speed47/spectre-meltdown-checker/issues?q=is%3Aissue+is%3Aopen+label%3Ainformation) tag in the issues list for more examples.
Author	SHA1	Message	Date
Stéphane Lesimple	1c067add59	release v26.33.0420460 (#567 )	2026-04-20 15:18:11 +00:00
Stéphane Lesimple	00bb4a951c	workflow: expose reconsider_age_days input + env var	2026-04-19 14:46:56 +02:00
Stéphane Lesimple	43d5b77885	chore: workflow: add manual model + window_hours inputs, add reconsider	2026-04-19 12:55:03 +02:00
Stéphane Lesimple	78a6e4a418	chore: move cron vuln-watch workflow script files to their own branch	2026-04-19 11:14:21 +02:00
Stéphane Lesimple	5af1a9fec9	chore: workflow: add scan id	2026-04-18 16:23:47 +02:00
Stéphane Lesimple	b93027640f	chore: vuln workflow: use opus, no persist creds, conditional upload	2026-04-18 16:19:10 +02:00
Stéphane Lesimple	5c27284119	chore: workflow: save logs	2026-04-18 16:05:15 +02:00
Stéphane Lesimple	f2e5999fc0	chore: explicit prompt for workflow	2026-04-18 15:41:03 +02:00
Stéphane Lesimple	25f20b8860	chore: fix workflow perms (#558 )	2026-04-18 15:29:54 +02:00
Stéphane Lesimple	77e3dbd6b2	add scheduled vuln research (#557 )	2026-04-18 15:14:13 +02:00
Stéphane Lesimple	8a6f9d5d63	Implement ITS/VMScape/BTI and misc enhancements (#539 ) `7a7408d` fix: add rebleet to --variant `cccb3c0` enh: add known fixed ucode versions for CVE-2023-23583 (Reptar) and CVE-2024-45332 (BPI) `090f109` doc: add CVE-2023-31315 (SinkClose) to the unsupported list, add categories `5dc9c3c` chore: reorder CVE list in README.md `a00fab1` feat: implement CVE-2025-40300 (VMScape) and CVE-2024-45332 (BTI) `e0b818f` chore: stalebot: disable dryrun by default `4af1155` feat: implement CVE-2024-28956 (ITS, Indirect Target Selection) vulnerability and mitigation detection `dfed6f3` doc: add note about more unsupported CVEs `1652977` add a generated version of src/libs/003_intel_models.sh `a089ae8` fix: sys_interface_check() must set the caller's $msg var (closes #533) `cc6bbaa` chore: don't include src/ generated files in build `2717b0a` doc: CVE-2020-12965 unsupported (#478)	2026-04-04 18:38:49 +02:00