mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2026-06-06 22:53:03 +02:00
Stéphane Lesimple
0b022ee253
Zenbleed (CVE-2023-20593) is mitigated either by up-to-date CPU microcode or by the host kernel setting FP_BACKUP_FIX (DE_CFG MSR 0xc0011029 bit 9). Both are applied at the host level. Inside a Xen dom0/domU (or any VM guest) the script can't read that MSR and can't trust the microcode version the hypervisor presents, so it wrongly concluded "kernel too old + microcode not fixed" and reported VULN even though the host had applied the microcode fix (passing on bare metal). In live mode, when the verdict would be VULN and we're running as a guest, report UNK instead, explaining the mitigation is host-level and not observable from inside the guest. Bare metal is unchanged (still VULN), offline analysis is unchanged, and a guest with positively-confirmed fixed microcode still reports OK.