The "Meltdown" and "Spectre" attacks have recently been widely disclosed. The are attacks against a large family of CPUs that use speculative execution features to read memory by observing cache timing side effects.

Phabricator is not affected because it is written in PHP, a great language with excellent security features which protect it against this kind of attack. Among other advanced capabilities, PHP instructions execute too slowly to allow a runtime program to distinguish between L1 cache access and main memory access.

This is also a local privilege escalation attack. At least today, Herald rules are insufficiently expressive to allow an attacker to encode a speculative execution cache timing side channel attack.