This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png
This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png

Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The classic example is Spectre that gave its name to this kind of side-channel Attack on Bitcoin, but since January 2018 many different vulnerabilities have been identified.


Modern computers are highly parallel devices, composed of components with very different performance characteristics. If an operation (such as a branch) cannot yet be performed because some earlier slow operation (such as a memory read) has not yet completed, a microprocessor may attempt to predict the result of the earlier operation and execute the later operation speculatively, acting as if the prediction was correct. The prediction may be based on recent behavior of the system. When the earlier, slower operation completes, the microprocessor determines whether prediction was correct or incorrect. If it was correct then execution proceeds uninterrupted; if it was incorrect then the microprocessor rolls back the speculatively executed operations and repeats the original instruction with the real result of the slow operation. Specifically, a transient instruction[1] refers to an instruction processed by error by the processor (incriminating the branch predictor in the case of Spectre) which can affect the micro-architectural state of the processor, leaving the architectural state without any trace of its execution.

In terms of the directly visible behavior of the computer it is as if the speculatively executed code “never happened”. However, this speculative execution may affect the state of certain components of the microprocessor, such as the cache, and this effect may be discovered by careful monitoring of the timing of subsequent operations.

If an Attack on Bitcoiner can arrange that the speculatively executed code (which may be directly written by the Attack on Bitcoiner, or may be a suitable gadget that they have found in the targeted system) operates on secret data that they are unauthorized to access, and has a different effect on the cache for different values of the secret data, they may be able to discover the value of the secret data.

Starting in 2017, multiple examples of such vulnerabilities were identified, with publication starting in early 2018.

In March 2021 AMD security researchers discovered that the Predictive Store Forwarding algorithm in Zen 3 CPUs could be used by malicious applications to access data it shouldn’t be accessing.[2] According to Phoronix there’s little impact in disabling the feature.[3]

In June 2021, two new vulnerabilities, Speculative Code Store Bypass (SCSB, CVE-2021-0086) and Floating Point Value Injection (FPVI, CVE-2021-0089), affecting all modern x86-64 CPUs both from Intel and AMD were discovered.[4] In order to mitigate them software has to be rewritten and recompiled. ARM CPUs are not affected by SCSB but some certain ARM architectures are affected by FPVI.[5]

In August 2021 a vulnerability called “Transient Execution of Non-canonical Accesses” affecting certain AMD CPUs was undisclosed.[6][7][8] It requires the same mitigations as the MDS vulnerability affecting certain Intel CPUs.[9] It was assigned CVE-2020-12965. Since most x86 software is already patched against MDS and this vulnerability has the exact same mitigations, software vendors don’t have to address this vulnerability.

In October 2021 for the first time ever a vulnerability similar to Meltdown was disclosed[10][11] to be affecting all AMD CPUs however the company doesn’t think any new mitigations have to be applied and the existing ones are already sufficient.[12]

In March 2022, a new variant of the Spectre vulnerability called Branch History Injection was disclosed.[13][14] It affects certain ARM64 CPUs[15] and the following Intel CPU families: Cascade LakeIce LakeTiger Lake and Alder Lake. According to Linux kernel developers AMD CPUs are also affected.[16]

In March 2022, a vulnerability affecting a wide range of AMD CPUs was disclosed under CVE-2021-26341.[17][18]

In June 2022, multiple MMIO Intel CPUs vulnerabilities related to execution in virtual environments were announced.[19] The following CVEs were designated: CVE-2022-21123CVE-2022-21125CVE-2022-21166.

In July 2022, the Retbleed vulnerability was disclosed affecting Intel Core 6 to 8th generation CPUs and AMD Zen 1, 1+ and 2 generation CPUs. Newer Intel microarchitectures as well as AMD starting with Zen 3 are not affected. The mitigations for the vulnerability decrease the performance of the affected Intel CPUs by up to 39%, while AMD CPUs lose up to 14%.

In August 2022, the SQUIP vulnerability was disclosed affecting Ryzen 2000-5000 series CPUs.[20] According to AMD the existing mitigations are enough to protect from it.[21]


Spectre class vulnerabilities will remain unfixed because otherwise CPU designers will have to disable OoOE which will entail a massive performance loss.[citation needed]

Vulnerabilities and mitigations summary

Mitigation TypeComprehensivenessEffectivenessPerformance Impact
Firmware Microcode UpdatePartialPartial…FullNone…Large
Software RecompilationPoorPartial…FullMedium…Large

Hardware mitigations require change to the CPU design and thus a new iteration of hardware, but impose close to zero performance loss. Microcode updates alter the software that the CPU runs on, requiring patches to be released and integrated into every operating system and for each CPU. OS/VMM mitigations are applied at the operating system or virtual machine level and (depending on workload) often incur quite a significant performance loss. Software recompilation requires recompiling every piece of software and usually incur a severe performance hit.


Vulnerability Name(aliases)CVEAffected CPU architectures and mitigations
Ice Lake[24]Cascade Lake,
Comet Lake
Whiskey Lake,
Amber Lake
Coffee Lake
(9th gen)[25]
Coffee Lake
(8th gen)*
Zen 1 / Zen 1+Zen 2[26]
Spectre v1
Bounds Check Bypass
2017-5753Software RecompilationSoftware Recompilation[27]
Spectre v2
Branch Target Injection
2017-5715Hardware + OSMicrocode + OSMicrocode + OSMicrocode + OS/VMMHardware + OS/VMM
SpectreRSB[28]/ret2spec[29] Return Mispredict2018-15572OS[30]
Rogue Data Cache Load
2017-5754Not affectedMicrocodeNot affected
Spectre-NG v3a2018-3640Not affected[31]Microcode
Spectre-NG v4
Speculative Store Bypass
2018-3639Hardware + OS/VMM[31]Microcode + OSOS/VMMHardware + OS/VMM
L1 Terminal Fault, L1TF
2018-3615Not affectedMicrocodeNot affected
Lazy FP State Restore
Spectre-NG v1.1
Bounds Check Bypass Store
Spectre-NG v1.2
Read-only Protection Bypass (RPB)
No CVE and has never been confirmed by IntelNot affected[23]
L1 Terminal Fault (L1TF)
2018-3620Not affectedMicrocode + OSNot affected
L1 Terminal Fault (L1TF)
Microarchitectural Fill Buffer Data Sampling (MFBDS)
Microarchitectural Load Port Data Sampling (MLPDS)
2018-12127Not affectedNot affected [1]Not affectedMicrocode + OS[34]
Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
2019-11091Not affectedMicrocode + OS
Microarchitectural Store Buffer Data Sampling (MSBDS)
2018-12126Microcode[35][36]Not affected [2]Not affectedMicrocode + OS
Spectre SWAPGS[37][38][39]2019-1125Same as Spectre 1
RIDL/ZombieLoad v2
Transactional Asynchronous Abort (TAA)[40][41][42]
2019-11135Not Affected[43]Microcode + OS
L1D Eviction Sampling (L1DES)[44][45][46]
2020-0549Not Affected
Vector Register Sampling (VRS)[44][45]
Load Value Injection (LVI)[47][48][49][50]2020-0551Software recompilation
Take a Way[51][52]Not affectedNot fixed yet (disputed[53])[54]
Special Register Buffer Data Sampling (SRBDS)[55][56][57]
2020-0543Not affectedMicrocodeNot affected
Blindside[58]No CVE, relies on unpatched systems.[59][disputed – discuss]
Branch History Injection (BHI)2022-00012022-0002Microcode + Software RecompilationNot affected
Hertzbleed[60][61][62]2022-244362022-23823Software modifications
Retbleed[63][64][65][66][67]2022-299002022-29901Not affectedSoftware recompilation

The 8th generation Coffee Lake architecture in this table also applies to a wide range of previously released Intel CPUs, not limited to the architectures based on Intel CorePentium 4 and Intel Atom starting with Silvermont.[68][69] Various CPU microarchitectures not included above are also affected, among them are IBM PowerARMMIPS and others.[70][71][72][73]

Intel CPUs past Ice Lake, e.g. Rocket Lake and Tiger Lake are not affected by Fallout/MSBDS.

This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png
This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png