The transient execution attack is a type of attack leveraging the
vulnerability of modern CPU optimization technologies. New attacks surface
rapidly. The side-channel is a key part of transient execution attacks to leak
data. In this work, we discover a vulnerability that the change of the EFLAGS
register in transient execution may have a side effect on the Jcc (jump on
condition code) instruction after it in Intel CPUs. Based on our discovery, we
propose a new side-channel attack that leverages the timing of both transient
execution and Jcc instructions to deliver data. This attack encodes secret data
to the change of register which makes the execution time of context slightly
slower, which can be measured by the attacker to decode data. This attack
doesn't rely on the cache system and doesn't need to reset the EFLAGS register
manually to its initial state before the attack, which may make it more
difficult to detect or mitigate. We implemented this side-channel on machines
with Intel Core i7-6700, i7-7700, and i9-10980XE CPUs. In the first two
processors, we combined it as the side-channel of the Meltdown attack, which
could achieve 100\% success leaking rate. We evaluate and discuss potential
defenses against the attack. Our contributions include discovering security
vulnerabilities in the implementation of Jcc instructions and EFLAGS register
and proposing a new side-channel attack that does not rely on the cache system