spectre-meltdown-checker - Man Page

Spectre and Meltdown mitigation detection tool

Examples (TL;DR)

tldr.sh

Description

Spectre and Meltdown mitigation detection tool v26.33.0420460

Modes:

* Live mode:

spectre-meltdown-checker [options] [--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]

Inspect the currently running kernel within the context of the CPU it's running on.

You can optionally specify --kernel, --config, or --map to help the script locate files it couldn't auto-detect

* No-runtime mode:

spectre-meltdown-checker [options] --no-runtime <--kernel <kimage>> [--config <kconfig>] [--map <mapfile>]

Inspect the CPU hardware, but skips all running-kernel artifacts (/sys, /proc, dmesg).

Use this when you have a kernel image different from the kernel you're running but want to check it against this CPU.

* No-hardware mode:

spectre-meltdown-checker [options] --no-hw <--kernel <kimage>> [--config <kconfig>] [--map <mapfile>]

Ignore both CPU hardware and running-kernel artifacts. Use this for pure static analysis of a kernel image,

for example when inspecting a kernel targeted for another system or CPU.

* Hardware-only mode: spectre-meltdown-checker [options] --hw-only

Only inspect the CPU hardware, and report information and affectedness per vulnerability.

Vulnerability selection:

--variant VARIANT

specify which variant you'd like to check, by default all variants are checked. can be used multiple times (e.g. --variant 3a --variant l1tf). For a list use 'help'.

--cve CVE

specify which CVE you'd like to check, by default all supported CVEs are checked can be used multiple times (e.g. --cve CVE-2017-5753 --cve CVE-2020-0543)

Check scope:

--no-sysfs

don't use the /sys interface even if present [Linux]

--sysfs-only

only use the /sys interface, don't run our own checks [Linux]

Strictness:

--paranoid

require all mitigations to be enabled to the fullest extent, including those that are not strictly necessary but provide defense in depth (e.g. SMT disabled, IBPB always-on); without this flag, the script follows the security community consensus

--extra

run additional checks for issues that don't have a CVE but are still security-relevant, such as compile-time mitigations not enabled by default (e.g. Straight-Line Speculation)

Hardware and platform:

--cpu [#,all]

interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)

--vmm [auto,yes,no]

override the detection of the presence of a hypervisor, default: auto

--allow-msr-write

allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system

--arch-prefix PREFIX

specify a prefix for cross-inspecting a kernel of a different arch, for example "aarch64-linux-gnu-", so that invoked tools will be prefixed with this (i.e. aarch64-linux-gnu-objdump)

--coreos

special mode for CoreOS (use an ephemeral toolbox to inspect kernel) [Linux]

Output:

--batch FORMAT

produce machine readable output; FORMAT is one of: text (default), short, json, json-terse, nrpe, prometheus

--no-color

don't use color codes

--verbose, ā€‰-v

increase verbosity level, possibly several times

--explain

produce an additional human-readable explanation of actions to take to mitigate a vulnerability

Firmware database:

--update-fwdb

update our local copy of the CPU microcodes versions database (using the awesome MCExtractor project and the Intel firmwares GitHub repository)

--update-builtin-fwdb

same as --update-fwdb but update builtin DB inside the script itself

Debug:

--dump-mock-data

used to mimick a CPU on an other system, mainly used to help debugging this script

Return codes:

0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)

IMPORTANT: A false sense of security is worse than no security at all. Please use the --disclaimer option to understand exactly what this script does.

Info

April 2026 Spectre and Meltdown mitigation detection tool v26.33.0420460