root cause of meltdown vuln.

[moliam]

More articles I am reading , the more confused I am. Many articles say that speculative execution and out-of-order execution leads to these vulns. I don't think so, because I find that exploiting either of these two vulns to leak kernel addressspace is nearly possible, except for the situation that the target kernel address is cached in L1.
So it seems in fact it's because that the memory load operation from L1 cache didn't carry the privilege verification quite well . Am I understanding right?