Spectre CPU vulnerability yet again discovered in 2018-2024 Intel CPUs

The Spectre and Meltdown vulnerabilities affecting X86-based processors caused significant problems for Intel and AMD back in 2018, as both companies were hit with lawsuits. Even ARM was exposed to these vulnerabilities, but all companies eventually released bug-neutralizing in-silicon microcode that led to some performance degradation, although not significant. In 2022, more Spectre threats were discovered for Intel’s CPUs up to the Alder Lake series as well as ARM’s cores, yet performance degradation depended largely on the type of task. Unfortunately, this was not the last time Spectre reared its ugly head, at least for Intel, as a new report issued by ETH Zurich details new vulnerabilities discovered for 2018-2024 Intel CPUs, with some models seeing quite the performance impact after updated mitigations.

ETH Zurich conducted thorough tests for the previously-introduced mitigations, including the enhanced Indirect Branch Restricted Speculation (eIBRS) and the Indirect Branch Prediction Barrier (IBPB) and revealed that, in special cases, these could still be bypassed.

Intel released a new microcode with improved mitigations as early as January 2025, allowing ETH Zurich to test the performance impact on recent CPU models. It turns out that most models are barely affected, with Alder Lake chips seeing only 2.7% overhead, Raptor Lake / Raptor Lake-R sub-2%, Coffee Lake-R 1.6%. Rocket Lake is the exception here, as tests reveal an 8.3% performance degradation.

Even though ETH Zurich conducted its tests only on Linux distributions, the vulnerabilities are confirmed to occur on any type of OS. AMD and ARM processors are not affected by these newly-discovered vulnerabilities.

Apparently, Intel already provided the new microcodes to all system integrators and OS makers. “Intel is strengthening its Spectre v2 hardware mitigations and recommends customers review INTEL-SA-01247 and contact their system manufacturer for the appropriate update. To date, Intel is not aware of any real-world exploits of transient execution vulnerabilities,” the company commented in a May 13 blog post.