
Meltdown and Spectre are read-only attacks or disclosure attacks. In other words, these exploits do not directly force code execution in the OS kernel, in other virtual machines or other programs. However, one could possibly use information gathered from these attacks to feed it into a code execution attack. The primary risk is in stealing information versus controlling a system.