This work uncovers uSpectre, a novel transient-execution attack rooted in microcode-level branch misprediction, which leaks otherwise inaccessible data via microarchitectural transient windows. To address this, the authors first formalize the uSpectre attack paradigm, systematically discover and validate multiple new variants, and unify the underlying mechanism across over ten Spectre/Meltdown-style attacks. Leveraging microarchitectural reverse engineering, microcode behavioral modeling, and hardware-level side-channel analysis, they empirically confirm uSpectre’s cross-generational presence on mainstream Intel processors—from Coffee Lake to Raptor Lake. They further propose uSLH, the first dedicated defense mechanism, which effectively mitigates uSpectre exploitation with zero performance overhead. Crucially, the study demonstrates that uSpectre is not a Spectre variant but a more fundamental, pervasive threat originating at the microcode layer—exposing a previously overlooked attack surface in modern CPUs.

We present uSpectre, a new class of transient execution attacks that exploit microcode branch mispredictions to transiently leak sensitive data. We find that many long-known and recently-discovered transient execution attacks, which were previously categorized as Spectre or Meltdown variants, are actually instances of uSpectre on some Intel microarchitectures. Based on our observations, we discover multiple new uSpectre attacks and present a defense against uSpectre vulnerabilities, called uSLH.