Presumably classified as severity 'medium' in an attempt to look marginally less negligent when announcing that they can't be bothered to issue microcode updates for most CPU models until Nov or Dec.

Under what circumstances is this not a medium? The only case this applies is if you have public runners running completely untrusted code, and if you're doing that I hope you're doing it on EPYC, which is fixed. And if you're doing that, you're probably mining crypto for randoms.

What about running JavaScript on a browser?

I am very doubtful that there exists any JavaScript that compiles to the specific instructions needed for this exploit.

It can be exploited through JavaScript according to CloudFlare: https://blog.cloudflare.com/zenbleed-vulnerability/

Cloudflare updated that post.

It previously read:

> The attack can even be carried out remotely through JavaScript on a website, meaning that the attacker need not have physical access to the computer or server.

Now it reads:

> Currently the attack can only be executed by an attacker with an ability to execute native code on the affected machine. While there might be a possibility to execute this attack via the browser on the remote machine it hasn’t been yet demonstrated.