spectre-meltdown-checker

Check the currently running kernel for Spectre or Meltdown

$ sudo spectre-meltdown-checker

$ sudo spectre-meltdown-checker --explain

$ sudo spectre-meltdown-checker --variant [1|2|3|3a|4|l1tf|msbds|mfbds|mlpds|mdsum|taa|mcespc|srbds]

$ sudo spectre-meltdown-checker --batch [text|json|nrpe|prometheus|short]

$ sudo spectre-meltdown-checker --no-sysfs

$ sudo spectre-meltdown-checker --kernel [path/to/kernel_file]

spectre-meltdown-checker [OPTIONS]

-v, --verbose
    Increases the verbosity of the output, showing more details about the checks being performed and their results.

-q, --quiet
    Decreases the verbosity of the output. When successful, it will produce no output, making it useful for scripting or automated checks.

-d, --debug
    Enables debug messages, providing extensive internal information for troubleshooting or development purposes.

-h, --help
    Displays the help message, including usage instructions and a list of all available options.

-c , --check
    Checks only a specific vulnerability or set of vulnerabilities. This option can be specified multiple times (e.g., -c Meltdown -c SpectreV1).

-n, --no-cli-colors
    Disables the use of color in the output, which can be useful when redirecting output to a file or using terminals that do not support ANSI color codes.

-p, --patch-version
    Shows the version of the patch or mitigation applied in the kernel for each vulnerability, if such information is available.

-r, --rules
    Instead of performing an actual check, this option displays the rules and logic used by the checker to determine vulnerability status.

-x, --explain
    Provides detailed explanations about the vulnerabilities and their respective mitigations, making the output more informative. This option implies --verbose.

-k , --kernel
    Allows checking a specific kernel version (e.g., 5.15.0-76-generic) instead of the currently running one. The script will attempt to retrieve the corresponding kernel configuration.

-a, --all
    Checks all available vulnerabilities. This is the default behavior of the command if no specific check options are provided.

-s , --sysfs-path
    Uses an alternative path for the sysfs filesystem (default is /sys). This is typically used in containerized environments or chroot setups.

-N, --no-kpti-check
    Disables the KPTI/PCID check. This option is primarily for testing purposes and should generally not be used in production.

-V, --version
    Displays the version of the spectre-meltdown-checker script and then exits.

The spectre-meltdown-checker command is a comprehensive shell script designed to assess a Linux system's vulnerability status against a wide range of speculative execution side-channel attacks, including Meltdown, Spectre (v1, v2, RSB, BHI/MMIO), L1TF, MDS (Zombieload, RIDL, Fallout), SRBDS, TAA, TSX Asynchronous Abort (TAA), Downfall, Inception, and others.

It works by inspecting the running kernel's configuration, CPU features (from /proc/cpuinfo), and kernel-exposed vulnerability information (typically found in /sys/devices/system/cpu/vulnerabilities/). The tool reports on the presence and status of various kernel mitigations, such as KPTI/PCID, IBPB, IBRS, Retpolines, L1D_FLUSH, and MDS_NO. It provides clear indications (often color-coded) of whether the system is vulnerable, protected, or partially protected, offering actionable advice on necessary updates or configuration changes. Running the command often requires root privileges to access all required system information.

The spectre-meltdown-checker typically requires root privileges to access all necessary system files (e.g., /proc/cpuinfo, /sys/devices/system/cpu/vulnerabilities/) to provide a complete and accurate assessment. Its results are highly dependent on the kernel version and the specific CPU model, as mitigations and vulnerability exposures vary. While comprehensive, it focuses on known speculative execution vulnerabilities and their mitigations; it might not detect all theoretical attack paths or zero-day vulnerabilities. It serves as a diagnostic tool, providing information and guidance, but does not apply fixes or patches itself.

The script primarily requires a modern Linux kernel (typically 4.15 or newer, as this is when the /sys/devices/system/cpu/vulnerabilities/ interface was introduced) that exposes the necessary CPU and vulnerability information. It relies on standard Unix utilities like bash, sed, grep, awk, and head, which are typically available on most Linux distributions.

The spectre-meltdown-checker script emerged shortly after the public disclosure of the Spectre and Meltdown vulnerabilities in early 2018. These critical CPU vulnerabilities sent ripples through the computing industry, highlighting the need for tools to quickly assess system exposure. Developed by Fabian Moeller (speed47), it rapidly gained popularity as a simple yet effective way for Linux users and administrators to check their systems. Since its initial release, the script has been continuously updated to incorporate checks for newly discovered speculative execution vulnerabilities (like L1TF, MDS, SRBDS, TAA, Downfall, etc.) and improved kernel mitigations, reflecting the ongoing efforts to secure systems against these complex threats.

lscpu(1), uname(1), dmesg(1), grep(1), apt(8), dnf(8)