The microcode running on the CPU can be updated by either flashing the BIOS or injecting the code very early on boot.
The second approach is easy on Linux: the microcode gets copied into the initramfs that is run before booting the Linux kernel. As the initramfs runs early enough on boot, it is not too late to update the CPU microcode.
The Debian wiki explains how to do that, it boils down to:
apt install intel-microcode
After a reboot the update can be confirmed in kernel logs:
CPU1 microcode updated early to revision 0x20, date = 2017-01-27