In early January 2018, researchers publicly disclosed two related hardware vulnerabilities named Meltdown and Meltdown’s harder cousin Spectre. Both exploited speculative execution, a decades-old performance optimization in which a CPU guesses which instructions it will need next and runs them ahead of time. The official disclosure sites, meltdownattack.com and spectreattack.com, hosted the research and assigned CVE identifiers: Meltdown is CVE-2017-5754, and Spectre covers CVE-2017-5753 and CVE-2017-5715.
The flaw was that speculative execution leaves measurable traces. Even when a CPU later discards the results of work it should not have done, the act of doing that work changes the state of the cache. By timing memory accesses afterward, an attacker could reconstruct secret data that the speculative path had touched. This made the attacks a form of side-channel attack: the math of the security boundary was never broken, only its physical side effects were observed.
The two papers describe different boundaries. The Meltdown paper (Lipp et al., arXiv:1801.01207) shows how a user program can read arbitrary kernel memory by exploiting side effects of out-of-order execution, breaking the isolation between an application and the operating system. The Spectre paper, “Spectre Attacks: Exploiting Speculative Execution” (Kocher et al., arXiv:1801.01203), shows how an attacker can trick a correct, best-practices program into leaking its own secrets, breaking isolation between applications. Meltdown was reported independently by Jann Horn of Google Project Zero, by Cyberus Technology, and by a Graz University of Technology team.
Because speculative execution was built into nearly every high-performance processor shipped over roughly two decades, the vulnerabilities affected an enormous installed base across personal computers, phones, and cloud servers. Mitigations were costly: operating system changes such as kernel page-table isolation, microcode updates, and compiler changes all imposed performance penalties, and some workloads measurably slowed. Spectre in particular proved hard to fully mitigate, and it opened a research field of follow-on speculative-execution attacks.