github speed47/spectre-meltdown-checker v26.33.0420460
on GitHub

9 hours ago

Release highlights

With this release and the 7 new supported CVEs, we're up to date with all published CVEs since 2018 that are in the scope of this tool (33 so far).

The batch output formats also got a substantial overhaul: JSON, NRPE and prometheus output formats now better respect each format community guidelines, as well as carrying way more information if you want or need to have a clear overview of your server fleet.

Operating modes have been clarified. You'll be able to chose between 4 modes, depending on whether you want to inspect the running kernel, a kernel image, the CPU hardware, or a combination. See the "operating modes" section of the README for more information.

A new --extra option has been added, which runs some additional checks that are not CVE vulnerabilities per se, but may still be of interest. SLS has been implemented and falls into this category.

Affected Intel CPU list up to date as of 2026-04.

Last but not least, a dozen fixes/enhancements/refinements of preexisting CVE checks have been done, along with some more general robustness / corner case fixes.

More detailed changelog

New CVE checks

  • CVE-2025-54505 aka FPDSS (Floating-Point Divider Stale Data Leak)
  • CVE-2023-28746 ana RFDS (Register File Data Sampling)
  • CVE-2023-20588 aka AMD DIV0 (Division by Zero Speculative Data Leak)
  • CVE-2022-21123 / 21125 / 21166 aka MMIO Stale Data

New extra checks

  • SLS aka Straight-Line Speculation, supplementary

Fixes / enhancements to existing CVEs

  • Spectre V2 (CVE-2017-5715): Red Hat RSB Filling detection (#235)
  • Spectre 3a (CVE-2018-3640): improved ARM mitigation detection
  • L1TF/Foreshadow (CVE-2018-3615): better lockdown detection, drop cap_flush_cmd requirement (#296)
  • TAA (CVE-2019-11135): new 0x10F MSR for TSX-disabled CPUs (#414)
  • SRBDS (CVE-2020-0543): fix microcode mitigation misdetection (#492)
  • Inception/SRSO (CVE-2023-20569): detect IPBP "PB-Inception" (#500)
  • TSA (CVE-2024-36350/36357): no TSA CPUID lines on non-AMD
  • MDS: fix CPUs affected by MSBDS but not MDS (#351)
  • MDS (FreeBSD): software mitigation = OK unless --paranoid (#503)

Batch output

  • --batch json reworked completely, structured format (meta, system, cpu, vulnerabilities[]) + JSON Schema. Old format still available as --batch json-terse
  • --batch prometheus reworked completely, new smc_* metric names
  • --batch nrpe added more textual information

CLI / run modes

  • New --no-runtime and --no-hw replace implicit offline mode
  • --live deprecated (now the default)
  • New --extra flag (gates SLS and future supplementary checks)
  • --no-intel-db removed (Intel DB always used when available)

Intel Database

  • Affected CPU list refreshed to 2026-04
  • Hybrid CPU detection (H=1/H=0)
  • New mitigation codes: MS, HS, HM
  • Intel codename mapping for JSON/Prometheus output

Output display & robustness

  • Clearer CPU details and kernel info sections
  • x86 / ARM checks now guarded to the correct architecture
  • CPUID fallback to /proc/cpuinfo when CPUID unavailable (VMs)
  • MSR read/write: clearer errors, proper lockdown reporting
  • wrmsr now specifies the core number (#294)
  • Microcode version never defaults to 0x0 when unknown
  • exit_cleanup preserves the passed exit code
  • --allow-msr-write early-abort crash fixed
  • Better Busybox / unlzma compatibility (#432)
  • BSD ucode fallback uses proper AMD MSR

Unsupported-CVE docs (new entries)

Plundervolt (CVE-2019-11157), CacheOut (CVE-2020-0549), Platypus (CVE-2020-8694/8695), CVE-2020-24511/24512, AMD Prefetch (CVE-2021-26318), Native BHI (CVE-2024-2201) + TLBleed, Blindside.

Check out latest releases or
releases around speed47/spectre-meltdown-checker v26.33.0420460

Don't miss a new spectre-meltdown-checker release

NewReleases is sending notifications on new releases.

Get notifications