Affiliate links on Android Authority may earn us a commission.Learn more.
‘Spectre’ and ‘Meltdown’: New CPU vulnerabilities affect most smartphones and computers
July 01, 2025
The tech industry has been all a buzz over the last 48 hours with talk about a fundamental flaw in Intel’s CPUs that makes it easy for malware to steal sensitive data (like passwords, cryptographic keys and banking information) directly from memory, memory that would normally be off limits. We now have the first concrete details about the issue, and as it turns out, there are actually two vulnerabilities, dubbed by security researchers ‘Meltdown’ and ‘Spectre’ and they affect other platforms besides Intel’s. Here’s what you need to know about them.
Spectre and Meltdown explained
Last June, Google’s Project Zero security team discovered some security flaws caused by the way that modern CPUs use out-of-order and speculative execution for better performance. (In addition to Google, other security researchers have independently discovered the same problems.)
Here’s a little background on how out-of-order and speculative execution works in CPUs. In a nutshell, to ensure that the CPU is always doing something, its instructions are pushed into a pipeline one behind the other. They progress down the pipeline going through the various stages needed to decode and finally execute them. Some instructions take longer to execute than others. This means that the pipeline is often re-ordered to get the best performance. This is particularly true when the CPU is told to jump (branch) to another location. Most branches are attached to conditions, so if a program loops around ten times, then for ten iterations it will jump back to the same spot, but on the eleventh it won’t. To make sure the pipeline is full, the CPU will put the most likely instructions back into the pipeline by attempting to predict beforehand if the CPU will branch or not. If it gets it wrong, then the pipeline will be full of half-executed instructions, which will be then discarded.
What Google’s Project Zero found outis that these half-baked instructions have altered the CPU’s internal caches while they were flowing down the pipeline. If you then add some very clever timing algorithms, it becomes possible to calculate what was in the cache, even though the CPU never actually officially executed the instructions.
The reason why this allows access to restricted memory is that the check for access violations is done when the instruction is finally executed (retired), not while it is progressing down the pipeline. This means that malware can now access any part of the memory. It can’t do it fast, as all these timing shenanigans are delicate, but it is fast enough to steal data.
In total there are three known variants of this basic problem:
As soon as Google found these new attack methods, it notified Intel, AMD and Arm. That was six months ago. They all agreed on a coordinated disclosure date of July 31, 2025, however, when patches started appearing in the Linux kernel along with growing speculation in the press and security research community, the details were disclosed a week early.
What is Google doing about it?
Google has worked to protect all its products and services against Spectre and Meltdown. You can find full detailshere, but here is a summary:
Arm’s response
As you can see, Intel’s CPUs seem to be more susceptible to Spectre and Meltdown. I contacted Arm about these security issues and here is the response I was given:
Arm has also released a full security advisory calledVulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism. Basically it says that the Cortex-A57, the Cortex-A72 and the Cortex-A73 are vulnerable to Spectre, and only the Cortex-A75 is vulnerable to Meltdown. The important thing here is that the Cortex-A53 and Cortex-A55 cores are NOT affected. This is because those two processors cores don’t do out-of-order execution. A large portion of the current mid-range Android handsets use the Cortex-A53 in an octa-core arrangement, including devices with the Qualcomm Snapdragon 630, Snapdragon 626, Snapdragon 625, and all Snapdragon 4xx processors.
Arm has also released Linux patches for all its processors.
Intel’s response
Intel’s response to the disclosure has been less professional than Arm’s. Rather than publishing a security advisory and providing software patches, all Intel did was publisha press release. In the press release, Intel just moaned about how it wasn’t its fault and that everyone is in the same boat. The press release didn’t go down well with Linus Torvalds, the inventor of Linux. Hewrote, “I think somebody inside of Intel needs to really take a long hard look at their CPU’s, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.”
How the bugs can be mitigated
One of the ways that Meltdown can be mitigated is by isolating the kernel table from user space memory. Until now, the kernel page tables were kept in memory, even when running a user space program. This memory is actually protected by the normal memory access features of modern CPUs, however the cache timing vulnerabilities mean that malicious programs can bypass the normal protections and steal data from the kernel memory space.
Kernel Page Table Isolation (KPTI) fixes this by separating the user-space and the kernel-space page tables. However, this decreases performance. There are a variety of different performance measurements being touted at the moment. These range from 5% to 30%.
It looks like KPTI will become the norm for Linux, Android, and Chrome OS in the short term. One thing that Arm started very clearly is that “All future Arm Cortex processors will be resilient to this style of attack or allow mitigation through kernel patches.”
In other words, there isn’t much that can be done in hardware now, but future processors will be designed so that this kind of attack isn’t possible. As Linus put it, CPU designers need to ensure that “speculation doesn’t happen across protection domains.”
Thank you for being part of our community. Read ourComment Policybefore posting.
