Someone at VUsec?
The BHI / Spectre-BHB research by VUsec showed one can microarchitecturally tamper with the Branch History Buffer (rather than the Branch Target Buffer) to still leak arbitrary kernel memory from unprivileged user using a Spectre v2-style attack.