Release highlights

This release brings some features to ARM64 hosts. They get dedicated silicon-errata checks, a proper CPU details block, and architecture-aware filtering so x86 hosts no longer show ARM64 noise and vice-versa.

On the x86 side, MMIO Stale Data detection is now much more honest about end-of-life Intel CPUs that Intel never officially assessed, these are now reported as UNK (or VULN under --paranoid) instead of a misleading "not affected".

The tool now better detects guest environments and warns you that the microcode version reported by your hypervisor may be fake or stale, so the "up-to-date microcode" check can't be trusted from inside the guest.

More detailed changelog

Add ARM64 silicon errata (issue #357)

Three speculation/security-relevant ARM64 errata families are now detected. As these are tracked by vendor erratum IDs rather than CVEs, a new CVE-0001-NNNN placeholder range has been reserved for vendor errata, along with a new --errata <number> selector (alongside --variant/--cve):

• Speculative AT TLB corruption (1165522 / 1319367 / 1319537 / 1530923)
• Speculative unprivileged load (2966298 / 3117295)
• MSR SSBS not self-synchronizing (3194386 and siblings)

CPU affectedness is determined per-core from the (implementer, part, variant, revision) tuple in /proc/cpuinfo, matching the kernel code. Kernel mitigation detection relies on the per-erratum CONFIG_ARM64_ERRATUM_NNNN symbols, kernel image descriptor strings, and dmesg (no sysfs exists for these).

Architecture-aware CVE filtering

• CVE_REGISTRY gains an optional fifth field tagging checks as x86-only or arm-only; untagged entries apply everywhere.
• Default "all CVEs" runs now skip checks irrelevant to the inspected architecture across text, JSON, NRPE and Prometheus outputs (no more ARM64 errata on x86 hosts, or x86 CVEs on ARM hosts).
• Explicit --cve / --variant / --errata selection bypasses the check, so manual queries still run anywhere.
• In --no-hw mode, the host CPU is ignored, supporting cross-arch offline analysis driven by --kernel/--config/--map.

Fixes to existing CVEs

• MMIO Stale Data (CVE-2022-21123 / 21125 / 21166) (#437): EOL Intel CPUs that Intel never officially assessed (Sandy/Ivy Bridge, Haswell/Broadwell client, pre-Goldmont Atom, etc.) are now reported as UNK (or VULN under --paranoid) instead of a misleading "not affected". This corrects the picture on kernels where sysfs wrongly says "Not affected" (pre-v6.0 and v6.16+) and aligns with the kernel's X86_BUG_MMIO_UNKNOWN set. The BSD path was corrected too: no BSD implements an MMIO mitigation, so affected CPUs now report VULN (with an explain rationale) rather than "not yet implemented".

VM guest detection (issue #336)

• New is_running_as_guest() detects VM guests (KVM, VMware, ESXi, Hyper-V, VirtualBox…) via the hypervisor CPUID flag in /proc/cpuinfo.
• New "Running as VM guest: YES/NO" line in the CPU details block (x86 and ARM).
• A warning is now emitted after the microcode-is-latest check, advising you to verify microcode on the hypervisor host, since a guest can be shown a fake CPUID/microcode version.
• JSON output exposes this: system.guest_vm (bool), system.guest_vm_reason (string), and cpu_microcode.unreliable_in_vm (bool).

Output display

• ARM CPUs now get a proper CPU details block in check_cpu(): vendor, model name, implementer(s), part(s), architecture(s) and VM-guest status. Previously the x86-only early return left ARM hosts with no check_cpu() output at all.

Tooling

• New scripts/update_mcedb.sh (on test and source branches), so that the GitHub workflow can regenerate src/db/200_mcedb.sh daily.

Documentation

• Unsupported CVE list: added the Jump Conditional Code (JCC) Erratum (issue #329), a microarchitectural correctness bug (Skylake to Cascade Lake), not a speculative side channel, with no CVE, no sysfs/CPUID/MSR indicator, hence out of scope.