DDR5 Memory Vulnerable to Rowhammer Attack
▼ Summary
– Researchers from ETH Zurich and Google demonstrated a practical Rowhammer attack called Phoenix (CVE-2025-6202) against DDR5 memory.
– The attack successfully caused bit flips on all 15 tested SK Hynix DDR5 devices, enabling privilege escalation and root access in as little as 109 seconds.
– Phoenix bypasses DDR5’s Target Row Refresh (TRR) protections by precisely tracking and synchronizing with thousands of refresh operations.
– While tripling the refresh rate prevents the attack with an 8.4% performance overhead, researchers recommend stronger mitigations like per-row activation counters.
– The vulnerability was disclosed to SK Hynix and vendors, with AMD releasing BIOS updates to address CVE-2025-6202 in client machines.
A team of cybersecurity experts from ETH Zurich and Google has successfully executed a practical Rowhammer-style attack on DDR5 memory modules, marking a significant development in hardware security vulnerabilities. This newly identified exploit, named Phoenix and cataloged under CVE-2025-6202, effectively bypasses built-in protections in 15 separate devices manufactured by SK Hynix, the world’s leading DRAM producer.
Rowhammer attacks exploit a vulnerability by repeatedly accessing a specific row in DRAM, which generates electrical interference and causes bit flips in adjacent memory cells. These unintended alterations can lead to privilege escalation, data corruption, information leakage, or disrupt memory isolation in virtual environments. Although Rowhammer has been a known threat to CPUs and CPU-managed memory for over a decade, researchers from the University of Toronto have now demonstrated that graphics processing units (GPUs) are also vulnerable. Moreover, Phoenix shows that even DDR5, despite its sophisticated Target Row Refresh (TRR) defenses, is not immune.
To carry out the attack, researchers reverse-engineered the TRR protocols in DDR5 and found that circumventing these safeguards required precise tracking of thousands of refresh operations. The protective mechanisms in DDR5 demand much longer and more intricate Rowhammer patterns, which must remain synchronized with a high volume of refresh commands. Phoenix introduces a method to automatically resynchronize the attack pattern whenever missed refreshes are detected, enabling consistent bit flips.
Using this approach, the team developed a privilege escalation exploit that granted root access on a standard DDR5 system using default configurations in just 109 seconds. The researchers confirmed that Phoenix induced bit flips across all 15 SK Hynix DIMMs tested. Although the study focused exclusively on SK Hynix hardware due to the intensive reverse-engineering required, the team emphasized that DDR5 products from other manufacturers should not be considered safe from similar attacks.
One potential way to address the issue involves increasing the memory refresh rate by a factor of three, which successfully prevented bit flips during tests but resulted in an 8.4% performance overhead. More comprehensive methods, like per-row activation counters, might offer full protection against Rowhammer exploits. This vulnerability was reported to SK Hynix, CPU manufacturers, and major cloud providers in early June. Subsequently, AMD released BIOS updates to tackle CVE-2025-6202 on client systems.
(Source: Security Week)