A bunch of security researchers from the ETH Zurich college and Google have demonstrated a sensible Rowhammer assault in opposition to DDR5.
Dubbed Phoenix and tracked as CVE-2025-6202, the DDR5 Rowhammer assault was discovered to be efficient in opposition to 15 units from SK Hynix, the biggest DRAM producer.
As a part of a Rowhammer assault, a DRAM reminiscence row is accessed repeatedly to trigger electrical interference resulting in bit flips in adjoining areas. This might result in elevation of privileges, knowledge corruption, knowledge leakage, and in breaking reminiscence isolation in digital environments.
After greater than a decade of identified Rowhammer assaults focusing on CPUs and CPU-based reminiscence, a bunch of College of Toronto researchers this 12 months demonstrated that such assaults are attainable and sensible in opposition to GPUs as properly.
The newly devised Phoenix assault exhibits that, regardless of its extra subtle in-DRAM Goal Row Refresh (TRR) mechanisms meant to stop Rowhammer assaults, DDR5 too is weak.
To show that, 4 ETH Zurich teachers and two Google researchers reverse-engineered the TRR schemes in DDR5, discovering {that a} profitable assault must “exactly observe 1000’s of refresh operations”.
Of their paper (PDF), the researchers clarify that the protections DDR5 comes with require considerably longer Rowhammer patterns to be bypassed, and that these patterns want to stay in-sync with 1000’s of refresh instructions.
Phoenix, nonetheless, was designed to resynchronize the sample when missed refresh operations are detected, thus triggering bit flips that allowed the researchers to create a privilege escalation exploit and achieve root on a commodity DDR5 system with default settings.
“We consider Phoenix on 15 DDR5 DIMMs from SK Hynix and present that it might probably set off bit flips on all of them. We additionally display that the bit flips are exploitable by constructing the primary Rowhammer privilege escalation exploit working in default settings on a PC in as little as 109 seconds,” the researchers be aware.
The researchers say they restricted their work to SK Hynix units because of the intensive effort of reverse engineering the applied mitigations, and level out that DDR5 units from different producers shouldn’t be thought of protected in opposition to Rowhammer assaults.
Tripling the refresh charge, the researchers say, prevents Phoenix from triggering bit flips, however incurs an overhead of 8.4%. Extra principled mitigations, similar to per-row activation counters, ought to cease Rowhammer assaults utterly, they are saying.
Phoenix was disclosed to SK Hynix, CPU distributors, and main cloud suppliers in early June. Final week, AMD launched BIOS updates to handle CVE-2025-6202 in shopper machines, the researchers be aware.
