Skip to content
Guide
Host hardening
Mitigating CPU vulnerabilities

Mitigating CPU vulnerabilities

CPUs have security vulnerabilities

CPUs also come with bugs and, in some cases, they can become security vulnerabilities. For instance, a couple of famous cases of such bugs were the meltdown and spectre vulnerabilities.

Discovering your CPU’s vulnerabilities

To check out what known vulnerabilities your CPU has, perform these steps:

  1. Open a remote terminal as your administrator user into your Proxmox VE, and execute the following:

    $ cat /proc/cpuinfo | grep bugs

  2. The output will be one line per core on your CPU. So, in the four-cores processor of this guide’s reference hardware it looks like below:

    bugs            : cpu_meltdown spectre_v1 spectre_v2 mds msbds_only mmio_unknown
bugs            : cpu_meltdown spectre_v1 spectre_v2 mds msbds_only mmio_unknown
bugs            : cpu_meltdown spectre_v1 spectre_v2 mds msbds_only mmio_unknown
bugs            : cpu_meltdown spectre_v1 spectre_v2 mds msbds_only mmio_unknown

As you can imagine, the list of vulnerabilities will change depending on the CPU inspected.

Your Proxmox VE system already has the correct microcode package applied

To mitigate these bugs, it is required to install the proper microcode apt package for your CPU: the intel-microcode or the amd-microcode one. In this guide’s case, the Proxmox VE installation process already installed the correct package (the intel-microcode one) in the system. This can be discovered by first checking what apt sources are configured in the /etc/apt/sources.list.d/debian.sources file:

Types: deb
URIs: http://deb.debian.org/debian/
Suites: trixie trixie-updates
Components: main contrib non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb
URIs: http://security.debian.org/debian-security/
Suites: trixie-security
Components: main contrib non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Notice that both sources have the non-free-firmware components, which is where the microcode packages are part of. Then, you try to install the intel-microcode package in the PVE system with apt:

$ sudo apt install -y intel-microcode
intel-microcode is already the newest version (3.20250512.1).
Summary:
  Upgrading: 0, Installing: 0, Removing: 0, Not Upgrading: 3

The apt command warns that the package is already installed in the system and in its newest version. Therefore, you can expect your Proxmox VE setup to have the correct microcode package already applied. If not, first ensure that your /etc/apt/sources.list.d/debian.sources file looks like the one shown before, then do the following:

  1. Make apt update its references, then install the correct microcode package for your system:

    $ sudo apt update
$ sudo apt install -y intel-microcode

  2. After the package’s installation is done, reboot your system:

    $ sudo reboot

Warning

The microcode package can affect your CPU’s performance
Furthermore, the microcode applied may just mitigate rather than completely fix the vulnerabilities on your CPU.

Relevant system paths

Directories

  • /etc/apt/sources.list.d
  • /proc

Files

  • /etc/apt/sources.list.d/debian.sources
  • /proc/cpuinfo

References

About CPU vulnerabilities

Network hardening with sysctlFirewalling