VMScape Attack Breaks CPU Isolation on AMD and Intel Systems

A newly identified security vulnerability known as VMScape enables a malicious virtual machine to extract sensitive information, including cryptographic keys, from a QEMU hypervisor operating on both AMD and Intel processors. This attack bypasses existing Spectre mitigations and compromises the isolation between virtual environments and the host system, posing a significant risk to cloud infrastructure security.

What makes VMScape particularly concerning is that it functions without requiring any modification to the host system or virtualization software. Even with standard hardware-level protections in place, an attacker could potentially rent a virtual machine from a cloud provider and use it to access confidential data from the hypervisor or other guest machines.

Researchers from ETH Zurich in Switzerland developed this attack method, which impacts a wide range of processors. All AMD Zen architectures from Zen 1 through Zen 5 are vulnerable, along with Intel’s Coffee Lake generation. Newer Intel microarchitectures, including Raptor Cove and Gracemont, remain unaffected.

Modern processors incorporate protections designed to prevent speculative execution attacks by isolating branch prediction units between guest and host environments. However, the research team discovered that this isolation is not fully effective. Because structures like the Branch Target Buffer (BTB) and Branch History Buffer (BHB) are shared, a guest user can influence indirect branch prediction within a host process.

The attack specifically targets QEMU, a user-mode hypervisor component that maps guest memory into its address space. This setup allows the use of a FLUSH+RELOAD cache side-channel technique. By employing a Spectre-BTI (Branch Target Injection) approach, attackers can misdirect an indirect branch in QEMU, causing it to speculatively execute code that leaks secret information into a shared reload buffer.

To extend the speculative execution window, the attacker evicts specific cache entries from within the guest virtual machine, focusing on the Last-Level Cache (LLC) in AMD Zen 4 systems. The Address Space Layout Randomization (ASLR) security feature, which randomizes memory addresses, is defeated through branch collision probing and brute-forcing the reload buffer’s virtual address.

In practical tests, the research team demonstrated that VMScape can extract arbitrary memory data from QEMU at a rate of 32 bytes per second with 98.7% byte-level accuracy. The overall success rate for the exploit was measured at 43%. At this speed, a 4KB secret, such as a disk encryption key, could be fully extracted in approximately 128 seconds. When including the time required to bypass ASLR, the entire process takes around 772 seconds, or just under 13 minutes.

Virtualization serves as the foundational technology for modern cloud computing, and the ability of one guest machine to read host memory represents a serious threat to multi-tenant security. That said, executing an attack like VMScape demands advanced technical knowledge, specialized expertise, and a sustained execution window. These factors significantly reduce the immediate risk to the broader user base.

The ETH Zurich team responsibly disclosed their findings to AMD and Intel on June 7, and the vulnerability was assigned CVE-2025-40300. AMD has since published a security bulletin addressing the issue. Linux kernel developers have released patches that mitigate VMScape by implementing an Indirect Branch Prediction Barrier (IBPB) on VMEXIT, which flushes the branch prediction unit during transitions from guest to host mode. According to the researchers, this mitigation introduces only minimal performance overhead in typical workloads.

(Source: Bleeping Computer)