Critical
CVE-2017-5753 & CVE-2017-5715 · "Spectre & Meltdown"

Spectre & Meltdown: The CPU Vulnerabilities That Shook Hardware Security

In January 2018, researchers disclosed two hardware flaws that fundamentally broke CPU security. Unlike software patches, these vulnerabilities lived at the processor level, affecting nearly every Intel, AMD, and ARM chip made after 1995. Billions of devices leaked passwords, encryption keys, and sensitive data—not through hacking, but through physics.

Quick facts
CVE IDsCVE-2017-5753 (Spectre), CVE-2017-5715 (Meltdown)
Affected hardwareIntel CPUs (1995-2018+), AMD Ryzen/EPYC, ARM processors — billions of devices
SeverityCVSS 10.0 (Critical) — accessible without credentials or code execution
DisclosedJanuary 3, 2018
Real mitigationCPU firmware updates (microcode patches), OS kernel patches, performance hit 5-30%

What Happened: Spectre vs Meltdown

CPUs optimize for speed by predicting what code will run next and executing it speculatively. If the prediction was wrong, they discard the results. But before they discard, the data sits in the CPU's cache—which is blindingly fast memory living inside the processor.

Both Spectre and Meltdown exploit a gap between how fast the CPU executes and how carefully it checks permissions.

Meltdown (CVE-2017-5715): Bypasses memory isolation. A userspace program tricks the CPU into loading kernel memory (which should be forbidden) into the cache while running speculatively. Before the CPU realizes the access was illegal and throws an exception, the attacker reads the cached data through timing attacks.

Spectre (CVE-2017-5753): Tricks branch prediction. The CPU guesses which direction an if-statement will take and executes speculatively. An attacker poisons this prediction, causing the CPU to execute code paths that shouldn't happen, loading sensitive data into cache. The attacker then measures memory access timings to extract the cached secrets.

The result: attackers read passwords, encryption keys, and process memory—without ever running malicious code on the system. They're just timing how long memory access takes.

Why Both Vulnerabilities Were Shocking

For 23 years, CPUs had been designed around a fundamental assumption: hardware is trustworthy. Software developers relied on privilege separation—userspace code couldn't read kernel memory, one VM couldn't peek at another VM's memory. CPUs enforced this with permission bits in silicon.

Spectre and Meltdown proved that assumption was dead. A regular user application could leak the password to the entire system. A VM running in the cloud could steal data from the VM next to it. The fix required rethinking decades of CPU design.

Worse, the vulnerabilities affected nearly every CPU ever made:

Patching meant updating firmware on billions of devices—a logistical nightmare that's still ongoing.

How Attackers Exploited the Vulnerabilities

The attack requires three steps:

Step 1: Create a timing reference. The attacker measures how long it takes to access memory at different cache levels. L1 cache: ~4 cycles. Main RAM: ~300 cycles. The difference is huge and measurable from user code.

Step 2: Force speculative execution. For Meltdown, the attacker tries to read kernel memory in a loop. The CPU speculatively executes the read before checking permissions. For Spectre, the attacker "trains" the branch predictor to guess wrong, then executes code that accesses target memory.

Step 3: Measure the timing leak. The attacker tries to access various memory addresses and measures response times. If an address was loaded into cache during speculative execution, accessing it is fast (4 cycles). If it wasn't, it's slow (300 cycles). By testing addresses containing every possible byte value (0-255), the attacker discovers what secret data was loaded.

The entire attack runs in userspace—no elevated privileges, no code injection, no system compromise. Just timing measurements.

Researchers demonstrated reading the entire Linux kernel, extracting ASLR (address space randomization), dumping browser memory, and stealing HTTPS encryption keys from OpenSSL.

Real-World Impact

Spectre and Meltdown forced a painful response:

The patches cost billions in lost performance. A 2018 study found Linux systems lost 5-19% of their speed. Database servers and high-frequency trading platforms suffered the most.

Why Software Couldn't Have Prevented This

Spectre and Meltdown taught the industry a hard lesson: not all security flaws are bugs. Some are design choices that became dangerous when exploited in ways the designer never imagined.

Speculative execution exists because CPU performance plateaued in the early 2000s. Rather than make processors faster through higher clock speeds (heat was the limit), chip designers parallelized execution—running multiple instructions simultaneously, predicting branches, and prefetching data. Speculative execution alone improved performance by 20-40%.

Removing it entirely would cripple modern processors. The fix was surgical: prevent speculative execution from crossing privilege boundaries, or contain it so timing attacks can't extract its results.

Software engineers couldn't prevent this. Your code's security depends on hardware working correctly. When hardware has a fundamental design flaw, all the careful privilege separation in your OS becomes theater.

What You Need to Know Today

Why this mattered

Spectre and Meltdown proved that hardware security vulnerabilities require architectural changes, not just software patches. They showed that 23 years of CPU design optimization prioritized speed over safety. The fixes are ongoing—new Spectre variants are discovered regularly, and complete mitigation without performance loss remains an open research problem.

Spectre & Meltdown in one sentence

CPUs optimized for speed by running code speculatively before verifying permissions, leaving traces in memory that attackers could extract through timing measurements—breaking the entire foundation of processor security.

Explore More CVEs