The vulnerability, dubbed SPOILER, comes via the memory management that Intel uses in, you guessed it, speculative execution. Researchers tested 10 models of CPUs, going all the way back to first-gen Core processors. Worse still, the vulnerability doesn't require elevated permissions; it can be triggered through JavaScript in a web browser or just about anything else in userspace.
This particular bug doesn't itself allow someone to access otherwise protected information, but it makes some related attacks (such as Rowhammer) much easier. In addition, it looks like mitigations may be incredibly hard. Intel's press release says they hope that software can fix it (I can't help but note there's no mention of them doing anything), but that remains to be seen.
Further research is needed to see if AMD or ARM is also affected. One model of each was tested and found not to be vulnerable, but the AMD tested wasn't a Ryzen so it's still unknown if they're affected or not.
Intel Management Engine (although other CPU manufacturers have an equivalent). It's a little side OS that handles startup and some other things. But it's a black box, and could be used to compromise whatever computer it's running on.