Spectre-meltdown-checker on the 6.12 lts kernel

Support AUR
1

Hello.
I understand that the spectre-meltdown-checker application has not been updated for a long time and was transferred to aur. However, I have an old processor and my motherboard has not received an update from the manufacturer - so I can only rely on software protection against these types of threats.

I noticed that on the latest LTS kernel the application shows an open vulnerability again, while on kernel 6.1 everything is fine. So the question is - is kernel 6.1 more secure for old hardware? Or spectre-meltdown-checker (for example, since its latest update is from 2023-08-09) simply does not understand kernel 6.12 and in fact all vulnerabilities are still closed in kernel 6.12?

6.1.135-1 sudo spectre-meltdown-checker

SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK

6.12.25-1 sudo spectre-meltdown-checker

SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK

CVE-2017-5715:KO

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

  • Mitigated according to the /sys interface: YES (Mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
  • Mitigation 1
    • Kernel is compiled with IBRS support: YES
      • IBRS enabled and active: UNKNOWN
    • Kernel is compiled with IBPB support: YES
      • IBPB enabled and active: YES
  • Mitigation 2
    • Kernel has branch predictor hardening (arm): NO
    • Kernel compiled with retpoline option: NO

STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

2

Probably the latter. LTS kernels always continue receiving bugfixes and security updates — that’s why they are long-term-support kernels — while spectre-meltdown-checker has not been updated anymore in years, and does — indeed — not understand the newest kernels.

4 Likes
3

Define ‘newer’?

This morning’s meltdown-checker run.

4

It might be helpful to know more about your system than a vague reference to it being old. Please provide system information as described (below).

Regards.

System Information

While information from *-fetch type apps might be fine for someone wishing to buy your computer, for Support purposes it’s better to ask your system directly; :eyes:

Output of the inxi command with appropriate parameters will achieve this (naturally, formatted according to forum guidelines) and will generally be more useful for those wishing to help:

inxi --filter --verbosity=8

or the short form:

inxi -zv8
5

For spectre-meltdown-checker, any kernel and kernel update released after August 2023. For spectre-meltdown-checker-git, any kernel and kernel update released after September 2024.

6

I provide the full log my spectre-meltdown-checker:

Summary

Checking for vulnerabilities on current system
Kernel is Linux 6.12.25-1-MANJARO #1 SMP PREEMPT_DYNAMIC Sat, 26 Apr 2025 05:36:37 +0000 x86_64
CPU is Intel(R) Core™ i5-4590T CPU @ 2.00GHz

Hardware check

  • Hardware support (CPU microcode) for mitigation techniques
    • Indirect Branch Restricted Speculation (IBRS)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
    • Indirect Branch Prediction Barrier (IBPB)
      • CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
    • Single Thread Indirect Branch Predictors (STIBP)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates STIBP capability: YES (Intel STIBP feature bit)
    • Speculative Store Bypass Disable (SSBD)
      • CPU indicates SSBD capability: YES (Intel SSBD)
    • L1 data cache invalidation
      • CPU indicates L1D flush capability: YES (L1D flush feature bit)
    • Microarchitectural Data Sampling
      • VERW instruction is available: YES (MD_CLEAR feature bit)
    • Indirect Branch Predictor Controls
      • Indirect Predictor Disable feature is available: NO
      • Bottomless RSB Disable feature is available: NO
      • BHB-Focused Indirect Predictor Disable feature is available: NO
    • Enhanced IBRS (IBRS_ALL)
      • CPU indicates ARCH_CAPABILITIES MSR availability: NO
      • ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
    • CPU explicitly indicates not being affected by Meltdown/L1TF (RDCL_NO): NO
    • CPU explicitly indicates not being affected by Variant 4 (SSB_NO): NO
    • CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
    • Hypervisor indicates host CPU might be affected by RSB underflow (RSBA): NO
    • CPU explicitly indicates not being affected by Microarchitectural Data Sampling (MDS_NO): NO
    • CPU explicitly indicates not being affected by TSX Asynchronous Abort (TAA_NO): NO
    • CPU explicitly indicates not being affected by iTLB Multihit (PSCHANGE_MSC_NO): NO
    • CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
    • CPU supports Transactional Synchronization Extensions (TSX): NO
    • CPU supports Software Guard Extensions (SGX): NO
    • CPU supports Special Register Buffer Data Sampling (SRBDS): YES
    • CPU microcode is known to cause stability problems: NO (family 0x6 model 0x3c stepping 0x3 ucode 0x28 cpuid 0x306c3)
    • CPU microcode is the latest known available version: YES (latest version is 0x28 dated 2019/11/12 according to builtin firmwares DB v271+i20230614)
  • CPU vulnerability to the speculative execution attack variants
    • Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
    • Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
    • Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
    • Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
    • Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
    • Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
    • Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
    • Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
    • Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
    • Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
    • Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
    • Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
    • Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
    • Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
    • Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): YES
    • Affected by CVE-2023-20593 (Zenbleed, cross-process information leak): NO

CVE-2017-5753 aka ‘Spectre Variant 1, bounds check bypass’

  • Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
  • Kernel has array_index_mask_nospec: NO
  • Kernel has the Red Hat/Ubuntu patch: NO
  • Kernel has mask_nospec64 (arm64): NO
  • Kernel has array_index_nospec (arm64): NO
  • Checking count of LFENCE instructions following a jump in kernel… NO (only 25 jump-then-lfence instructions found, should be >= 30 (heuristic))

STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

  • Mitigated according to the /sys interface: YES (Mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
  • Mitigation 1
    • Kernel is compiled with IBRS support: YES
      • IBRS enabled and active: UNKNOWN
    • Kernel is compiled with IBPB support: YES
      • IBPB enabled and active: YES
  • Mitigation 2
    • Kernel has branch predictor hardening (arm): NO
    • Kernel compiled with retpoline option: NO

STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

CVE-2017-5754 aka ‘Variant 3, Meltdown, rogue data cache load’

  • Mitigated according to the /sys interface: YES (Mitigation: PTI)
  • Kernel supports Page Table Isolation (PTI): YES
    • PTI enabled and active: YES
    • Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
  • Running as a Xen PV DomU: NO

STATUS: NOT VULNERABLE (Mitigation: PTI)

CVE-2018-3640 aka ‘Variant 3a, rogue system register read’

  • CPU microcode mitigates the vulnerability: YES

STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka ‘Variant 4, speculative store bypass’

  • Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl)
  • Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
  • SSB mitigation is enabled and active: YES (per-thread through prctl)
  • SSB mitigation currently active for selected processes: NO (no process found using SSB mitigation through prctl)

STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl)

CVE-2018-3615 aka ‘Foreshadow (SGX), L1 terminal fault’

  • CPU microcode mitigates the vulnerability: N/A

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

CVE-2018-3620 aka ‘Foreshadow-NG (OS), L1 terminal fault’

  • Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
  • Kernel supports PTE inversion: YES (found in kernel image)
  • PTE inversion enabled and active: YES

STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)

CVE-2018-3646 aka ‘Foreshadow-NG (VMM), L1 terminal fault’

  • Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
  • This system is a host running a hypervisor: NO
  • Mitigation 1 (KVM)
    • EPT is disabled: NO
  • Mitigation 2
    • L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
    • L1D flush enabled: YES (conditional flushes)
    • Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
    • Hyper-Threading (SMT) is enabled: NO

STATUS: NOT VULNERABLE (this system is not running a hypervisor)

CVE-2018-12126 aka ‘Fallout, microarchitectural store buffer data sampling (MSBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12130 aka ‘ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12127 aka ‘RIDL, microarchitectural load port data sampling (MLPDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11091 aka ‘RIDL, microarchitectural data sampling uncacheable memory (MDSUM)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11135 aka ‘ZombieLoad V2, TSX Asynchronous Abort (TAA)’

  • Mitigated according to the /sys interface: YES (Not affected)
  • TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
  • TAA mitigation enabled and active: NO

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

CVE-2018-12207 aka ‘No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)’

  • Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
  • This system is a host running a hypervisor: NO
  • iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
  • iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)

STATUS: NOT VULNERABLE (this system is not running a hypervisor)

CVE-2020-0543 aka ‘Special Register Buffer Data Sampling (SRBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Microcode)
  • SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
  • SRBDS mitigation control is enabled and active: YES (Mitigation: Microcode)

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled)

CVE-2023-20593 aka ‘Zenbleed, cross-process information leak’

  • Zenbleed mitigation is supported by kernel: YES (found zenbleed message in kernel image)
  • Zenbleed kernel mitigation enabled and active: N/A (CPU is incompatible)
  • Zenbleed mitigation is supported by CPU microcode: NO

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK

some data about my system

Summary

CPU: Info: model: Intel Core i5-4590T
Kernel: 6.12.25-1-MANJARO arch: x86_64 bits: 64 compiler: gcc v: 14.2.1
Desktop: Xfce v: 4.20.1 tk: Gtk v: 3.24.48 wm: xfwm4 v: 4.20.0
with: xfce4-panel tools: light-locker vt: 7 dm: LightDM v: 1.32.0
Distro: Manjaro

merlock, Thank you for your log. If you look at the part CVE-2017-5715 - I see what you have

IBRS enabled and active: YES (While I have IBRS enabled and active: UNKNOWN )
Kernel compiled with retpoline option: YES (While I have Kernel compiled with retpoline option: NO )

Could this be the case?

7

@Aragorn: Gotcha, thanks.

@andrey000999: Do you have (booting) kernel flags set? Are you running a self-compiled kernel?

My only thought would be to re-install that particular kernel, and re-test.

1 Like
8

I use the kernel that comes with manjaro. I don’t use any special flags when booting.

9

Please, output from the inxi command is potentially far more useful. Please post it as requested.

Regards.

10

Yes, sure.

inxi -zv8:

System:
  Kernel: 6.12.25-1-MANJARO arch: x86_64 bits: 64 compiler: gcc v: 14.2.1
    clocksource: tsc avail: hpet,acpi_pm
    parameters: BOOT_IMAGE=/boot/vmlinuz-6.12-x86_64
    root=UUID=... rw quiet
    cryptdevice=UUID=...:luks-...:allow-discards
    root=/dev/mapper/luks-... apparmor=1
    security=apparmor udev.log_priority=3 rd.luks.options=discard
  Desktop: Xfce v: 4.20.1 tk: Gtk v: 3.24.48 wm: xfwm4 v: 4.20.0
    with: xfce4-panel tools: light-locker vt: 7 dm: LightDM v: 1.32.0
    Distro: Manjaro base: Arch Linux
Machine:
  Type: Desktop Mobo: MSI model: Z97 GAMING 3 (MS-7918) v: 1.0
    serial: <superuser required> uuid: <superuser required>
    UEFI-[Legacy]: American Megatrends v: 2.6 date: 12/24/2014
Battery:
  Message: No system battery data found. Is one present?
Memory:
  System RAM: total: 16 GiB available: 15.32 GiB used: 4.24 GiB (27.7%)
  Message: For most reliable report, use superuser + dmidecode.
  Array-1: capacity: 32 GiB slots: 4 modules: 2 EC: None
    max-module-size: 8 GiB note: est.
  Device-1: ChannelA-DIMM0 type: no module installed
  Device-2: ChannelA-DIMM1 type: DDR3 detail: synchronous size: 8 GiB speed:
    spec: 1600 MT/s actual: 1333 MT/s volts: curr: 2 min: 2 max: 2 width (bits):
    data: 64 total: 64 manufacturer: Kingston part-no: KHX1600C10D3/8GX
    serial: <filter>
  Device-3: ChannelB-DIMM0 type: no module installed
  Device-4: ChannelB-DIMM1 type: DDR3 detail: synchronous size: 8 GiB speed:
    spec: 1600 MT/s actual: 1333 MT/s volts: curr: 2 min: 2 max: 2 width (bits):
    data: 64 total: 64 manufacturer: Kingston part-no: KHX1600C10D3/8GX
    serial: <filter>
PCI Slots:
  Permissions: Unable to run dmidecode. Root privileges required.
CPU:
  Info: model: Intel Core i5-4590T bits: 64 type: MCP arch: Haswell
    gen: core 4 level: v3 note: check built: 2013-15 process: Intel 22nm
    family: 6 model-id: 0x3C (60) stepping: 3 microcode: 0x28
  Topology: cpus: 1x dies: 1 clusters: 4 cores: 4 smt: <unsupported> cache:
    L1: 256 KiB desc: d-4x32 KiB; i-4x32 KiB L2: 1024 KiB desc: 4x256 KiB
    L3: 6 MiB desc: 1x6 MiB
  Speed (MHz): avg: 800 min/max: 800/3000 scaling: driver: intel_cpufreq
    governor: schedutil cores: 1: 800 2: 800 3: 800 4: 800 bogomips: 16006
  Flags: abm acpi aes aperfmperf apic arat arch_perfmon avx avx2 bmi1 bmi2
    bts clflush cmov constant_tsc cpuid cpuid_fault cx16 cx8 de ds_cpl dtes64
    dtherm dts ept ept_ad erms est f16c flexpriority flush_l1d fma fpu
    fsgsbase fxsr ht ibpb ibrs ida invpcid lahf_lm lm mca mce md_clear mmx
    monitor movbe msr mtrr nonstop_tsc nopl nx pae pat pbe pcid pclmulqdq
    pdcm pdpe1gb pebs pge pln pni popcnt pse pse36 pti pts rdrand rdtscp
    rep_good sdbg sep smep smx ss ssbd sse sse2 sse4_1 sse4_2 ssse3 stibp
    syscall tm tm2 tpr_shadow tsc tsc_adjust tsc_deadline_timer vme vmx vnmi
    vpid x2apic xsave xsaveopt xtopology xtpr
  Vulnerabilities:
  Type: gather_data_sampling status: Not affected
  Type: itlb_multihit status: KVM: Split huge pages
  Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT
    disabled
  Type: mds mitigation: Clear CPU buffers; SMT disabled
  Type: meltdown mitigation: PTI
  Type: mmio_stale_data status: Unknown: No mitigations
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed status: Not affected
  Type: spec_rstack_overflow status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Retpolines; IBPB: conditional; IBRS_FW;
    STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not
    affected
  Type: srbds mitigation: Microcode
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: Intel Xeon E3-1200 v3/4th Gen Core Processor Integrated Graphics
    vendor: Micro-Star MSI driver: i915 v: kernel arch: Gen-7.5
    process: Intel 22nm built: 2013 ports: active: HDMI-A-1 empty: DP-1,
    HDMI-A-2, HDMI-A-3, VGA-1 bus-ID: 00:02.0 chip-ID: 8086:0412
    class-ID: 0300
  Display: x11 server: X.Org v: 21.1.16 compositor: xfwm4 v: 4.20.0 driver:
    X: loaded: modesetting alternate: fbdev,vesa dri: crocus gpu: i915
    display-ID: :0.0 screens: 1
  Screen-1: 0 s-res: 1920x1080 s-dpi: 96 s-size: 509x286mm (20.04x11.26")
    s-diag: 584mm (22.99") monitors: <missing: xrandr>
  Monitor-1: HDMI-A-1 model: Philips PHL 221B7Q serial: <filter> built: 2016
    res: 1920x1080 dpi: 102 gamma: 1.2 chroma: red: x: 0.655 y: 0.337 green:
    x: 0.325 y: 0.612 blue: x: 0.153 y: 0.063 white: x: 0.314 y: 0.329
    size: 476x268mm (18.74x10.55") diag: 546mm (21.5") ratio: 16:9
    modes: 1920x1080, 1920x1080i, 1680x1050, 1280x1024, 1440x900, 1280x960,
    1280x720, 1024x768, 832x624, 800x600, 720x576, 720x480, 640x480, 720x400
  API: Vulkan Message: No Vulkan data available.
  API: OpenGL Message: Unable to show GL data. glxinfo is missing.
  Info: Tools: api: vulkaninfo de: xfce4-display-settings
    x11: xdpyinfo,xprop
Audio:
  Device-1: Intel Xeon E3-1200 v3/4th Gen Core Processor HD Audio
    vendor: Micro-Star MSI driver: snd_hda_intel v: kernel bus-ID: 00:03.0
    chip-ID: 8086:0c0c class-ID: 0403
  Device-2: Intel 9 Series Family HD Audio vendor: Micro-Star MSI
    driver: snd_hda_intel v: kernel bus-ID: 00:1b.0 chip-ID: 8086:8ca0
    class-ID: 0403
  API: ALSA v: k6.12.25-1-MANJARO status: kernel-api with: aoss
    type: oss-emulator tools: alsactl,alsamixer,amixer
  Server-1: JACK v: 1.9.22 status: off tools: N/A
  Server-2: PipeWire v: 1.4.2 status: off tools: pw-cli
  Server-3: PulseAudio v: 17.0-43-g3e2bb status: active with:
    1: pulseaudio-alsa type: plugin 2: pulseaudio-jack type: module
    tools: pacat,pactl,pavucontrol
Network:
  Device-1: Qualcomm Atheros Killer E220x Gigabit Ethernet
    vendor: Micro-Star MSI driver: alx v: kernel pcie: gen: 1 speed: 2.5 GT/s
    lanes: 1 port: e000 bus-ID: 03:00.0 chip-ID: 1969:e091 class-ID: 0200
  IF: enp3s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
  IP v4: <filter> type: dynamic noprefixroute scope: global
    broadcast: <filter>
  IP v6: <filter> type: noprefixroute scope: link
  Info: services: NetworkManager,systemd-timesyncd
  WAN IP: <filter>
Bluetooth:
  Message: No bluetooth data found.
Logical:
 ...
RAID:
  Message: No RAID data found.
Drives:
...
Partition:
...
Swap:
  Alert: No swap data was found.
Unmounted:
  Message: No unmounted partitions found.
USB:
...
Sensors:
  System Temperatures: cpu: 39.0 C mobo: N/A
  Fan Speeds (rpm): N/A
Repos:
  Packages: 1311 pm: pacman pkgs: 1302 libs: 411 tools: pamac pm: flatpak
    pkgs: 9
  Active pacman repo servers in: /etc/pacman.d/mirrorlist
    1: https://mirror.raiolanetworks.com/manjaro/stable/$repo/$arch
    2: https://ftpmirror1.infania.net/mirror/manjaro/stable/$repo/$arch
    3: https://manjaro.ynh.ovh/stable/$repo/$arch
    4: https://mirror.hostiko.network/manjaro/stable/$repo/$arch
    5: https://ask4.mm.fcix.net/manjaro/stable/$repo/$arch
    6: https://mirror.easyname.at/manjaro/stable/$repo/$arch
    7: https://mirror.futureweb.be/manjaro/stable/$repo/$arch
    8: https://mirror.23m.com/manjaro/stable/$repo/$arch
    9: https://mirror.alwyzon.net/manjaro/stable/$repo/$arch
    10: https://manjaro.ipacct.com/manjaro/stable/$repo/$arch
    11: https://manjaro.mirrors.lavatech.top/stable/$repo/$arch
    12: https://mirror.init7.net/manjaro/stable/$repo/$arch
    13: https://ftp.lysator.liu.se/pub/manjaro/stable/$repo/$arch
    14: https://ftp.gwdg.de/pub/linux/manjaro/stable/$repo/$arch
    15: https://manjaro.kurdy.org/stable/$repo/$arch
    16: https://mirrors.dotsrc.org/manjaro/stable/$repo/$arch
    17: https://mirrors.up.pt/pub/manjaro/stable/$repo/$arch
    18: https://mirror.alpix.eu/manjaro/stable/$repo/$arch

Info:
  Processes: 217 Power: uptime: 3h 2m states: freeze,mem,disk suspend: deep
    avail: s2idle wakeups: 0 hibernate: platform avail: shutdown, reboot,
    suspend, test_resume image: 6.12 GiB services: upowerd,xfce4-power-manager
    Init: systemd v: 257 default: graphical tool: systemctl
  Compilers: gcc: 14.2.1 Shell: Bash v: 5.2.37 running-in: xfce4-terminal
    inxi: 3.3.38

Mod edit:- Edited command output as preformatted text for better readability.
No charge.

11

I have done some more tests on different kernels and would like to share the result. I can assume that Kernel compiled with retpoline option: YES plays a role in determining whether my system is vulnerable to CVE-2017-5715 in the spectre-meltdown-checker application. If I get the value YES, then the program defines this threat as “NOT VULNERABLE” (This is just my observation).

6.14.4-1-MANJARO
inxi fast

Summary

CPU: quad core Intel Core i5-4590T (-MCP-) speed/min/max: 800/800/3000 MHz
Kernel: 6.14.4-1-MANJARO x86_64 Up: 0m Mem: 1.04/15.32 GiB (6.8%)
Storage: 1.78 TiB (60.3% used) Procs: 226 Shell: Bash inxi: 3.3.38

spectre-meltdown-checker

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

Summary

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

  • Mitigated according to the /sys interface: YES (Mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
  • Mitigation 1
    • Kernel is compiled with IBRS support: YES
      • IBRS enabled and active: UNKNOWN
    • Kernel is compiled with IBPB support: YES
      • IBPB enabled and active: YES
  • Mitigation 2
    • Kernel has branch predictor hardening (arm): NO
    • Kernel compiled with retpoline option: NO

STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

full log

Summary

Spectre and Meltdown mitigation detection tool v0.46

Checking for vulnerabilities on current system
Kernel is Linux 6.14.4-1-MANJARO #1 SMP PREEMPT_DYNAMIC Sat, 26 Apr 2025 05:52:09 +0000 x86_64
CPU is Intel(R) Core™ i5-4590T CPU @ 2.00GHz

Hardware check

  • Hardware support (CPU microcode) for mitigation techniques
    • Indirect Branch Restricted Speculation (IBRS)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
    • Indirect Branch Prediction Barrier (IBPB)
      • CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
    • Single Thread Indirect Branch Predictors (STIBP)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates STIBP capability: YES (Intel STIBP feature bit)
    • Speculative Store Bypass Disable (SSBD)
      • CPU indicates SSBD capability: YES (Intel SSBD)
    • L1 data cache invalidation
      • CPU indicates L1D flush capability: YES (L1D flush feature bit)
    • Microarchitectural Data Sampling
      • VERW instruction is available: YES (MD_CLEAR feature bit)
    • Indirect Branch Predictor Controls
      • Indirect Predictor Disable feature is available: NO
      • Bottomless RSB Disable feature is available: NO
      • BHB-Focused Indirect Predictor Disable feature is available: NO
    • Enhanced IBRS (IBRS_ALL)
      • CPU indicates ARCH_CAPABILITIES MSR availability: NO
      • ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
    • CPU explicitly indicates not being affected by Meltdown/L1TF (RDCL_NO): NO
    • CPU explicitly indicates not being affected by Variant 4 (SSB_NO): NO
    • CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
    • Hypervisor indicates host CPU might be affected by RSB underflow (RSBA): NO
    • CPU explicitly indicates not being affected by Microarchitectural Data Sampling (MDS_NO): NO
    • CPU explicitly indicates not being affected by TSX Asynchronous Abort (TAA_NO): NO
    • CPU explicitly indicates not being affected by iTLB Multihit (PSCHANGE_MSC_NO): NO
    • CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
    • CPU supports Transactional Synchronization Extensions (TSX): NO
    • CPU supports Software Guard Extensions (SGX): NO
    • CPU supports Special Register Buffer Data Sampling (SRBDS): YES
    • CPU microcode is known to cause stability problems: NO (family 0x6 model 0x3c stepping 0x3 ucode 0x28 cpuid 0x306c3)
    • CPU microcode is the latest known available version: YES (latest version is 0x28 dated 2019/11/12 according to builtin firmwares DB v271+i20230614)
  • CPU vulnerability to the speculative execution attack variants
    • Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
    • Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
    • Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
    • Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
    • Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
    • Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
    • Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
    • Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
    • Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
    • Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
    • Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
    • Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
    • Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
    • Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
    • Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): YES
    • Affected by CVE-2023-20593 (Zenbleed, cross-process information leak): NO

CVE-2017-5753 aka ‘Spectre Variant 1, bounds check bypass’

  • Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
  • Kernel has array_index_mask_nospec: NO
  • Kernel has the Red Hat/Ubuntu patch: NO
  • Kernel has mask_nospec64 (arm64): NO
  • Kernel has array_index_nospec (arm64): NO
  • Checking count of LFENCE instructions following a jump in kernel… NO (only 24 jump-then-lfence instructions found, should be >= 30 (heuristic))

STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

  • Mitigated according to the /sys interface: YES (Mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
  • Mitigation 1
    • Kernel is compiled with IBRS support: YES
      • IBRS enabled and active: UNKNOWN
    • Kernel is compiled with IBPB support: YES
      • IBPB enabled and active: YES
  • Mitigation 2
    • Kernel has branch predictor hardening (arm): NO
    • Kernel compiled with retpoline option: NO

STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

CVE-2017-5754 aka ‘Variant 3, Meltdown, rogue data cache load’

  • Mitigated according to the /sys interface: YES (Mitigation: PTI)
  • Kernel supports Page Table Isolation (PTI): YES
    • PTI enabled and active: YES
    • Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
  • Running as a Xen PV DomU: NO

STATUS: NOT VULNERABLE (Mitigation: PTI)

CVE-2018-3640 aka ‘Variant 3a, rogue system register read’

  • CPU microcode mitigates the vulnerability: YES

STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka ‘Variant 4, speculative store bypass’

  • Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl)
  • Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
  • SSB mitigation is enabled and active: YES (per-thread through prctl)
  • SSB mitigation currently active for selected processes: NO (no process found using SSB mitigation through prctl)

STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl)

CVE-2018-3615 aka ‘Foreshadow (SGX), L1 terminal fault’

  • CPU microcode mitigates the vulnerability: N/A

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

CVE-2018-3620 aka ‘Foreshadow-NG (OS), L1 terminal fault’

  • Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
  • Kernel supports PTE inversion: YES (found in kernel image)
  • PTE inversion enabled and active: YES

STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)

CVE-2018-3646 aka ‘Foreshadow-NG (VMM), L1 terminal fault’

  • Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
  • This system is a host running a hypervisor: NO
  • Mitigation 1 (KVM)
    • EPT is disabled: NO
  • Mitigation 2
    • L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
    • L1D flush enabled: YES (conditional flushes)
    • Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
    • Hyper-Threading (SMT) is enabled: NO

STATUS: NOT VULNERABLE (this system is not running a hypervisor)

CVE-2018-12126 aka ‘Fallout, microarchitectural store buffer data sampling (MSBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12130 aka ‘ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12127 aka ‘RIDL, microarchitectural load port data sampling (MLPDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11091 aka ‘RIDL, microarchitectural data sampling uncacheable memory (MDSUM)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11135 aka ‘ZombieLoad V2, TSX Asynchronous Abort (TAA)’

  • Mitigated according to the /sys interface: YES (Not affected)
  • TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
  • TAA mitigation enabled and active: NO

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

CVE-2018-12207 aka ‘No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)’

  • Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
  • This system is a host running a hypervisor: NO
  • iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
  • iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)

STATUS: NOT VULNERABLE (this system is not running a hypervisor)

CVE-2020-0543 aka ‘Special Register Buffer Data Sampling (SRBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Microcode)
  • SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
  • SRBDS mitigation control is enabled and active: YES (Mitigation: Microcode)

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled)

CVE-2023-20593 aka ‘Zenbleed, cross-process information leak’

  • Zenbleed mitigation is supported by kernel: YES (found zenbleed message in kernel image)
  • Zenbleed kernel mitigation enabled and active: N/A (CPU is incompatible)
  • Zenbleed mitigation is supported by CPU microcode: NO

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK

6.15.0-rc3-2-MANJARO

inxi fast

Summary

CPU: quad core Intel Core i5-4590T (-MCP-) speed/min/max: 800/800/3000 MHz
Kernel: 6.15.0-rc3-2-MANJARO x86_64 Up: 0m Mem: 1018 MiB/15.32 GiB (6.5%)
Storage: 1.78 TiB (60.4% used) Procs: 226 Shell: Bash inxi: 3.3.38

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

Summary

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

  • Mitigated according to the /sys interface: YES (Mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
  • Mitigation 1
    • Kernel is compiled with IBRS support: YES
      • IBRS enabled and active: UNKNOWN
    • Kernel is compiled with IBPB support: YES
      • IBPB enabled and active: YES
  • Mitigation 2
    • Kernel has branch predictor hardening (arm): NO
    • Kernel compiled with retpoline option: NO

STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

full log

Summary

Spectre and Meltdown mitigation detection tool v0.46

Checking for vulnerabilities on current system
Kernel is Linux 6.15.0-rc3-2-MANJARO #1 SMP PREEMPT_DYNAMIC Fri, 25 Apr 2025 05:50:40 +0000 x86_64
CPU is Intel(R) Core™ i5-4590T CPU @ 2.00GHz

Hardware check

  • Hardware support (CPU microcode) for mitigation techniques
    • Indirect Branch Restricted Speculation (IBRS)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
    • Indirect Branch Prediction Barrier (IBPB)
      • CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
    • Single Thread Indirect Branch Predictors (STIBP)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates STIBP capability: YES (Intel STIBP feature bit)
    • Speculative Store Bypass Disable (SSBD)
      • CPU indicates SSBD capability: YES (Intel SSBD)
    • L1 data cache invalidation
      • CPU indicates L1D flush capability: YES (L1D flush feature bit)
    • Microarchitectural Data Sampling
      • VERW instruction is available: YES (MD_CLEAR feature bit)
    • Indirect Branch Predictor Controls
      • Indirect Predictor Disable feature is available: NO
      • Bottomless RSB Disable feature is available: NO
      • BHB-Focused Indirect Predictor Disable feature is available: NO
    • Enhanced IBRS (IBRS_ALL)
      • CPU indicates ARCH_CAPABILITIES MSR availability: NO
      • ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
    • CPU explicitly indicates not being affected by Meltdown/L1TF (RDCL_NO): NO
    • CPU explicitly indicates not being affected by Variant 4 (SSB_NO): NO
    • CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
    • Hypervisor indicates host CPU might be affected by RSB underflow (RSBA): NO
    • CPU explicitly indicates not being affected by Microarchitectural Data Sampling (MDS_NO): NO
    • CPU explicitly indicates not being affected by TSX Asynchronous Abort (TAA_NO): NO
    • CPU explicitly indicates not being affected by iTLB Multihit (PSCHANGE_MSC_NO): NO
    • CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
    • CPU supports Transactional Synchronization Extensions (TSX): NO
    • CPU supports Software Guard Extensions (SGX): NO
    • CPU supports Special Register Buffer Data Sampling (SRBDS): YES
    • CPU microcode is known to cause stability problems: NO (family 0x6 model 0x3c stepping 0x3 ucode 0x28 cpuid 0x306c3)
    • CPU microcode is the latest known available version: YES (latest version is 0x28 dated 2019/11/12 according to builtin firmwares DB v271+i20230614)
  • CPU vulnerability to the speculative execution attack variants
    • Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
    • Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
    • Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
    • Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
    • Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
    • Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
    • Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
    • Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
    • Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
    • Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
    • Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
    • Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
    • Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
    • Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
    • Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): YES
    • Affected by CVE-2023-20593 (Zenbleed, cross-process information leak): NO

CVE-2017-5753 aka ‘Spectre Variant 1, bounds check bypass’

  • Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
  • Kernel has array_index_mask_nospec: NO
  • Kernel has the Red Hat/Ubuntu patch: NO
  • Kernel has mask_nospec64 (arm64): NO
  • Kernel has array_index_nospec (arm64): NO
  • Checking count of LFENCE instructions following a jump in kernel… NO (only 24 jump-then-lfence instructions found, should be >= 30 (heuristic))

STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

  • Mitigated according to the /sys interface: YES (Mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
  • Mitigation 1
    • Kernel is compiled with IBRS support: YES
      • IBRS enabled and active: UNKNOWN
    • Kernel is compiled with IBPB support: YES
      • IBPB enabled and active: YES
  • Mitigation 2
    • Kernel has branch predictor hardening (arm): NO
    • Kernel compiled with retpoline option: NO

STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

CVE-2017-5754 aka ‘Variant 3, Meltdown, rogue data cache load’

  • Mitigated according to the /sys interface: YES (Mitigation: PTI)
  • Kernel supports Page Table Isolation (PTI): YES
    • PTI enabled and active: YES
    • Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
  • Running as a Xen PV DomU: NO

STATUS: NOT VULNERABLE (Mitigation: PTI)

CVE-2018-3640 aka ‘Variant 3a, rogue system register read’

  • CPU microcode mitigates the vulnerability: YES

STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka ‘Variant 4, speculative store bypass’

  • Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl)
  • Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
  • SSB mitigation is enabled and active: YES (per-thread through prctl)
  • SSB mitigation currently active for selected processes: NO (no process found using SSB mitigation through prctl)

STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl)

CVE-2018-3615 aka ‘Foreshadow (SGX), L1 terminal fault’

  • CPU microcode mitigates the vulnerability: N/A

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

CVE-2018-3620 aka ‘Foreshadow-NG (OS), L1 terminal fault’

  • Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
  • Kernel supports PTE inversion: YES (found in kernel image)
  • PTE inversion enabled and active: YES

STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)

CVE-2018-3646 aka ‘Foreshadow-NG (VMM), L1 terminal fault’

  • Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
  • This system is a host running a hypervisor: NO
  • Mitigation 1 (KVM)
    • EPT is disabled: NO
  • Mitigation 2
    • L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
    • L1D flush enabled: YES (conditional flushes)
    • Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
    • Hyper-Threading (SMT) is enabled: NO

STATUS: NOT VULNERABLE (this system is not running a hypervisor)

CVE-2018-12126 aka ‘Fallout, microarchitectural store buffer data sampling (MSBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12130 aka ‘ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12127 aka ‘RIDL, microarchitectural load port data sampling (MLPDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11091 aka ‘RIDL, microarchitectural data sampling uncacheable memory (MDSUM)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11135 aka ‘ZombieLoad V2, TSX Asynchronous Abort (TAA)’

  • Mitigated according to the /sys interface: YES (Not affected)
  • TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
  • TAA mitigation enabled and active: NO

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

CVE-2018-12207 aka ‘No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)’

  • Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
  • This system is a host running a hypervisor: NO
  • iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
  • iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)

STATUS: NOT VULNERABLE (this system is not running a hypervisor)

CVE-2020-0543 aka ‘Special Register Buffer Data Sampling (SRBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Microcode)
  • SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
  • SRBDS mitigation control is enabled and active: YES (Mitigation: Microcode)

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled)

CVE-2023-20593 aka ‘Zenbleed, cross-process information leak’

  • Zenbleed mitigation is supported by kernel: YES (found zenbleed message in kernel image)
  • Zenbleed kernel mitigation enabled and active: N/A (CPU is incompatible)
  • Zenbleed mitigation is supported by CPU microcode: NO

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK

And here, on this core, I get the result as safe.
Kernel compiled with retpoline option: YES

6.6.88-1-MANJARO

inxi fast

Summary

CPU: quad core Intel Core i5-4590T (-MCP-) speed/min/max: 800/800/3000 MHz
Kernel: 6.6.88-1-MANJARO x86_64 Up: 0m Mem: 1.12/15.33 GiB (7.3%)
Storage: 1.78 TiB (60.4% used) Procs: 226 Shell: Bash inxi: 3.3.38

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

Summary

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

  • Mitigated according to the /sys interface: YES (Mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
  • Mitigation 1
    • Kernel is compiled with IBRS support: YES
      • IBRS enabled and active: UNKNOWN
    • Kernel is compiled with IBPB support: YES
      • IBPB enabled and active: YES
  • Mitigation 2
    • Kernel has branch predictor hardening (arm): NO
    • Kernel compiled with retpoline option: YES
      • Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)

STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)

full log

Summary

Spectre and Meltdown mitigation detection tool v0.46

Checking for vulnerabilities on current system
Kernel is Linux 6.6.88-1-MANJARO #1 SMP PREEMPT_DYNAMIC Sat Apr 26 06:59:32 UTC 2025 x86_64
CPU is Intel(R) Core™ i5-4590T CPU @ 2.00GHz

Hardware check

  • Hardware support (CPU microcode) for mitigation techniques
    • Indirect Branch Restricted Speculation (IBRS)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
    • Indirect Branch Prediction Barrier (IBPB)
      • CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
    • Single Thread Indirect Branch Predictors (STIBP)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates STIBP capability: YES (Intel STIBP feature bit)
    • Speculative Store Bypass Disable (SSBD)
      • CPU indicates SSBD capability: YES (Intel SSBD)
    • L1 data cache invalidation
      • CPU indicates L1D flush capability: YES (L1D flush feature bit)
    • Microarchitectural Data Sampling
      • VERW instruction is available: YES (MD_CLEAR feature bit)
    • Indirect Branch Predictor Controls
      • Indirect Predictor Disable feature is available: NO
      • Bottomless RSB Disable feature is available: NO
      • BHB-Focused Indirect Predictor Disable feature is available: NO
    • Enhanced IBRS (IBRS_ALL)
      • CPU indicates ARCH_CAPABILITIES MSR availability: NO
      • ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
    • CPU explicitly indicates not being affected by Meltdown/L1TF (RDCL_NO): NO
    • CPU explicitly indicates not being affected by Variant 4 (SSB_NO): NO
    • CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
    • Hypervisor indicates host CPU might be affected by RSB underflow (RSBA): NO
    • CPU explicitly indicates not being affected by Microarchitectural Data Sampling (MDS_NO): NO
    • CPU explicitly indicates not being affected by TSX Asynchronous Abort (TAA_NO): NO
    • CPU explicitly indicates not being affected by iTLB Multihit (PSCHANGE_MSC_NO): NO
    • CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
    • CPU supports Transactional Synchronization Extensions (TSX): NO
    • CPU supports Software Guard Extensions (SGX): NO
    • CPU supports Special Register Buffer Data Sampling (SRBDS): YES
    • CPU microcode is known to cause stability problems: NO (family 0x6 model 0x3c stepping 0x3 ucode 0x28 cpuid 0x306c3)
    • CPU microcode is the latest known available version: YES (latest version is 0x28 dated 2019/11/12 according to builtin firmwares DB v271+i20230614)
  • CPU vulnerability to the speculative execution attack variants
    • Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
    • Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
    • Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
    • Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
    • Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
    • Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
    • Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
    • Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
    • Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
    • Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
    • Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
    • Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
    • Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
    • Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
    • Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): YES
    • Affected by CVE-2023-20593 (Zenbleed, cross-process information leak): NO

CVE-2017-5753 aka ‘Spectre Variant 1, bounds check bypass’

  • Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
  • Kernel has array_index_mask_nospec: NO
  • Kernel has the Red Hat/Ubuntu patch: NO
  • Kernel has mask_nospec64 (arm64): NO
  • Kernel has array_index_nospec (arm64): NO
  • Checking count of LFENCE instructions following a jump in kernel… NO (only 28 jump-then-lfence instructions found, should be >= 30 (heuristic))

STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’

  • Mitigated according to the /sys interface: YES (Mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
  • Mitigation 1
    • Kernel is compiled with IBRS support: YES
      • IBRS enabled and active: UNKNOWN
    • Kernel is compiled with IBPB support: YES
      • IBPB enabled and active: YES
  • Mitigation 2
    • Kernel has branch predictor hardening (arm): NO
    • Kernel compiled with retpoline option: YES
      • Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)

STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 aka ‘Variant 3, Meltdown, rogue data cache load’

  • Mitigated according to the /sys interface: YES (Mitigation: PTI)
  • Kernel supports Page Table Isolation (PTI): YES
    • PTI enabled and active: YES
    • Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
  • Running as a Xen PV DomU: NO

STATUS: NOT VULNERABLE (Mitigation: PTI)

CVE-2018-3640 aka ‘Variant 3a, rogue system register read’

  • CPU microcode mitigates the vulnerability: YES

STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka ‘Variant 4, speculative store bypass’

  • Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl)
  • Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
  • SSB mitigation is enabled and active: YES (per-thread through prctl)
  • SSB mitigation currently active for selected processes: NO (no process found using SSB mitigation through prctl)

STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl)

CVE-2018-3615 aka ‘Foreshadow (SGX), L1 terminal fault’

  • CPU microcode mitigates the vulnerability: N/A

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

CVE-2018-3620 aka ‘Foreshadow-NG (OS), L1 terminal fault’

  • Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
  • Kernel supports PTE inversion: YES (found in kernel image)
  • PTE inversion enabled and active: YES

STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)

CVE-2018-3646 aka ‘Foreshadow-NG (VMM), L1 terminal fault’

  • Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
  • This system is a host running a hypervisor: NO
  • Mitigation 1 (KVM)
    • EPT is disabled: NO
  • Mitigation 2
    • L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
    • L1D flush enabled: YES (conditional flushes)
    • Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
    • Hyper-Threading (SMT) is enabled: NO

STATUS: NOT VULNERABLE (this system is not running a hypervisor)

CVE-2018-12126 aka ‘Fallout, microarchitectural store buffer data sampling (MSBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12130 aka ‘ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12127 aka ‘RIDL, microarchitectural load port data sampling (MLPDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11091 aka ‘RIDL, microarchitectural data sampling uncacheable memory (MDSUM)’

  • Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
  • Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  • Kernel mitigation is enabled and active: YES
  • SMT is either mitigated or disabled: YES

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11135 aka ‘ZombieLoad V2, TSX Asynchronous Abort (TAA)’

  • Mitigated according to the /sys interface: YES (Not affected)
  • TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
  • TAA mitigation enabled and active: NO

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

CVE-2018-12207 aka ‘No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)’

  • Mitigated according to the /sys interface: YES (KVM: Mitigation: VMX disabled)
  • This system is a host running a hypervisor: NO
  • iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
  • iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: VMX disabled)

STATUS: NOT VULNERABLE (this system is not running a hypervisor)

CVE-2020-0543 aka ‘Special Register Buffer Data Sampling (SRBDS)’

  • Mitigated according to the /sys interface: YES (Mitigation: Microcode)
  • SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
  • SRBDS mitigation control is enabled and active: YES (Mitigation: Microcode)

STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled)

CVE-2023-20593 aka ‘Zenbleed, cross-process information leak’

  • Zenbleed mitigation is supported by kernel: YES (found zenbleed message in kernel image)
  • Zenbleed kernel mitigation enabled and active: N/A (CPU is incompatible)
  • Zenbleed mitigation is supported by CPU microcode: NO

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)

SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK

12

The “retpoline” option in the Linux kernel is related to security and protection against vulnerabilities such as Spectre. A retpoline (return trampoline) is a method used to safeguard against attacks that exploit speculative execution of code.

When the kernel is compiled with the “retpoline” option, it means that it includes mechanisms to help prevent potential vulnerabilities associated with speculative execution, allowing for safer handling of function calls and branches. This is particularly important for systems that may be susceptible to attacks through vulnerabilities like Spectre, which could allow an attacker to read protected data from memory.

In general, if you see “Kernel compiled with retpoline option: YES,” it indicates that your Linux kernel has been built with retpoline support enabled, which is a positive sign from a security standpoint

(I am not an expert. This definition was given to me by chatgpt now.)

Could it be that the latest kernels that come with manjaro are built without this option?

13

I would not think so, but you can check with:

zgrep RETPOLINE /proc/config.gz

returns:

CONFIG_MITIGATION_RETPOLINE=y

This is the result on:

uname -r
6.12.25-1-MANJARO
14

You are right

6.12.25-1-MANJARO

zgrep RETPOLINE /proc/config.gz
CONFIG_MITIGATION_RETPOLINE=y

15

If you don’t have a server machine that is in continuous operation, I wouldn’t worry about reading appreciable amounts of data from memory.

16

I agree with you. I have a regular computer, which is mainly used for Firefox. Moreover, as far as I understand, such vulnerabilities have been closed in modern browsers for a long time. For me, this question was more theoretical, I just wanted to understand why it is so.

I also just now noticed that on old kernels, for example on 6.1, the zgrep RETPOLINE /proc/config.gz command returns CONFIG_RETPOLINE=y (On new ones, CONFIG_MITIGATION_RETPOLINE=y). Perhaps, it is true that Spectre-meltdown-checker has not received updates for a long time and simply does not understand new kernels.

Speaking of merlock’s log, he’s using kernel 6.14.5-arch1-1 (not manjaro ), which might be why Spectre-meltdown-checker detects it as safe.

17

Actually it looks like the code was updated 9 months ago, but a new version hasn’t been released and the PKGBUILD is using the last release.

It’s possible to edit the PKGBUILD so it pulls the code from the repo, instead of a release.

# Maintainer: IyĂĄn MĂŠndez Veiga <me (at) iyanmv (dot) com>
# Contributor: Simon Legner <Simon.Legner@gmail.com>
pkgname=spectre-meltdown-checker
pkgver=0.46
pkgrel=2
pkgdesc="Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability/mitigation checker"
arch=('any')
url="https://github.com/speed47/spectre-meltdown-checker"
license=('GPL3')
source=("${pkgname}::git+https://github.com/speed47/spectre-meltdown-checker.git")
sha256sums=('SKIP')

package() {
    cd "$pkgname"
    install -Dm755 spectre-meltdown-checker.sh "$pkgdir/usr/bin/spectre-meltdown-checker"
}
1 Like
18

On that note:
I always run with
mitigations=off
kernel command line option :man_shrugging:

19

dmt, Thank you. This is the solution.

I checked now and everything is fine

Kernel: 6.12.25-1-MANJARO

SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK CVE-2022-40982:OK CVE-2023-20569:OK CVE-2023-23583:OK

Many thanks to everyone who helped me with this issue.

1 Like
20

Folks, it’s just a script that can be run from anywhere. Remove the spectre-meltdown-checker AUR package (based on a “release” from almost two years ago) and follow the Easy way to run the script instructions in the README.

2 Likes