spectre-meltdown-checker
TLDR
Check currently running kernel
SYNOPSIS
spectre-meltdown-checker [OPTIONS]
DESCRIPTION
spectre-meltdown-checker detects CPU vulnerabilities and verifies mitigations for Spectre, Meltdown, and related speculative execution attacks. It operates in live mode (analyzing the running kernel) or offline mode (inspecting kernel files).
The tool checks for various vulnerability variants including Spectre v1/v2, Meltdown (v3), SSB (v4), L1TF, MDS variants (MSBDS, MFBDS, MLPDS), TAA, and others. It reports vulnerability status and whether proper mitigations are in place.
PARAMETERS
--kernel file
Specify kernel image file to check--config file
Specify kernel configuration file--map file
Specify System.map file--live
Force live mode when files are specified--variant variant
Check specific vulnerability variant (repeatable)--cve cve
Check specific CVE (repeatable)--explain
Provide human-readable mitigation explanations--batch format
Machine-readable output: text, short, json, nrpe, prometheus--no-color
Disable color output-v, --verbose
Increase verbosity (repeatable)--paranoid
Apply stricter mitigation criteria--hw-only
Check CPU information only--no-sysfs
Skip /sys interface--sysfs-only
Use only /sys interface--update-fwdb
Update local CPU microcode database
RETURN CODES
0: Not vulnerable
2: Vulnerable
3: Unknown status
255: Error occurred
CAVEATS
Requires root privileges for full analysis. Results depend on kernel version, CPU microcode, and configuration. False positives/negatives possible on unusual configurations. Mitigations may impact performance. Keep the tool updated for new vulnerability checks.
HISTORY
spectre-meltdown-checker was created by Stephane Lesimple in response to the Spectre and Meltdown vulnerabilities disclosed in January 2018. These CPU vulnerabilities affected most modern processors and required coordinated disclosure with Intel, AMD, and ARM. The tool has been continuously updated to detect new speculative execution vulnerabilities.
