Scroll to navigation

SPECTRE(1) User Commands SPECTRE(1)

NAME

Spectre - Spectre & Meltdown vulnerability/mitigation checker

DESCRIPTION

Spectre and Meltdown mitigation detection tool v26.33.0420460

Modes:
* Live mode:
spectre-meltdown-checker [options] [--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]
You can optionally specify --kernel, --config, or --map to help the script locate files it couldn't auto-detect
* No-runtime mode:
spectre-meltdown-checker [options] --no-runtime <--kernel <kimage>> [--config <kconfig>] [--map <mapfile>]
Use this when you have a kernel image different from the kernel you're running but want to check it against this CPU.
* No-hardware mode:
spectre-meltdown-checker [options] --no-hw <--kernel <kimage>> [--config <kconfig>] [--map <mapfile>]
for example when inspecting a kernel targeted for another system or CPU.
* Hardware-only mode: spectre-meltdown-checker [options] --hw-only
Only inspect the CPU hardware, and report information and affectedness per vulnerability.
Vulnerability selection:
specify which variant you'd like to check, by default all variants are checked. can be used multiple times (e.g. --variant 3a --variant l1tf). For a list use 'help'.
specify which CVE you'd like to check, by default all supported CVEs are checked can be used multiple times (e.g. --cve CVE-2017-5753 --cve CVE-2020-0543)
Check scope:
don't use the /sys interface even if present [Linux]
only use the /sys interface, don't run our own checks [Linux]
Strictness:
require all mitigations to be enabled to the fullest extent, including those that are not strictly necessary but provide defense in depth (e.g. SMT disabled, IBPB always-on); without this flag, the script follows the security community consensus
run additional checks for issues that don't have a CVE but are still security-relevant, such as compile-time mitigations not enabled by default (e.g. Straight-Line Speculation)
Hardware and platform:
interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
override the detection of the presence of a hypervisor, default: auto
allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
specify a prefix for cross-inspecting a kernel of a different arch, for example "aarch64-linux-gnu-", so that invoked tools will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
special mode for CoreOS (use an ephemeral toolbox to inspect kernel) [Linux]
Output:
produce machine readable output; FORMAT is one of: text (default), short, json, json-terse, nrpe, prometheus
don't use color codes
increase verbosity level, possibly several times
produce an additional human-readable explanation of actions to take to mitigate a vulnerability
Firmware database:
update our local copy of the CPU microcodes versions database (using the awesome MCExtractor project and the Intel firmwares GitHub repository)
same as --update-fwdb but update builtin DB inside the script itself
Debug:
used to mimick a CPU on an other system, mainly used to help debugging this script
Return codes:
0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
IMPORTANT: A false sense of security is worse than no security at all. Please use the --disclaimer option to understand exactly what this script does.

SEE ALSO

The full documentation for Spectre is maintained as a Texinfo manual. If the info and Spectre programs are properly installed at your site, the command

info Spectre

should give you access to the complete manual.

May 2026 Spectre and Meltdown mitigation detection tool v26.33.0420460