A whitepaper: https://people.csail.mit.edu/vlk/spectre11.pdf
> We introduce Spectre1.1, a new Spectre-v1 variant that leverages speculative stores to create speculative buffer overflows. Much like classic buffer overflows, speculative out-of bounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow.
> We also present Spectre1.2: on CPUs that do not enforce read/write protections, speculative stores can overwrite read only data and code pointers to breach sandboxes
> The ability to perform arbitrary speculative writes presents significant new risks, including arbitrary speculative execution. Unfortunately, this enables both local and remote attacks, even when Spectre1.0 gadgets are not present.It also allows attackers to bypass recommended software mitigations for previous speculative-execution attacks.