Spectre (security vulnerability)

Spectre is a class of vulnerabilities (speculative execution CPU vulnerabilities) that involve side-channel attacks, first discovered in 2017. There are multiple variants that affect modern microprocessors capable of performing branch prediction and other forms of speculative execution. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side-channel through which an attacker may be able to extract information about the private data using a timing attack.

In addition to vulnerabilities associated with installed applications, JIT engines used for JavaScript were found to be vulnerable. A website can read data stored in the browser for another website, or the browser's memory itself.

Two Common Vulnerabilities and Exposures records related to Spectre, CVE-2017-5753 (bounds check bypass, Spectre-V1, Spectre 1.0) and CVE-2017-5715 (branch target injection, Spectre-V2), have been issued.

In early 2018, Intel reported that it would redesign its CPUs to help protect against the Spectre and related Meltdown vulnerabilities (specifically, Spectre variant 2 and Meltdown, but not Spectre variant 1). On 8 October 2018, Intel was reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors. For devices that were already vulnerable, software patches were released at the cost of performance. Mitigations were applied to the Linux kernel, the Windows operating system, and some vulnerable user-mode applications.