Researchers have devised a new technique to trigger Rowhammer bit flips inside the memory cells of DDR5 RAM modules, which were believed to be protected against such attacks. This type of attack allows controlled memory modification leading to privilege escalation exploits or the leaking of sensitive data stored in restricted memory regions.
To achieve their new attack, dubbed Phoenix, researchers from ETH Zurich and Google reverse-engineered the advanced Target Row Refresh (TRR) mechanisms in DDR5 DIMMs from SK Hynix, one of the largest suppliers of DRAM chips. The exploit is now tracked as CVE-2025-6202.
“Our evaluation shows that Phoenix triggers bit flips on 15 out of 15 DDR5 devices in our test pool,” the researchers wrote in their paper. “Using these bit flips, we build the first Rowhammer privilege escalation exploit that obtains root on a commodity DDR5 system with default settings in as little as 109 seconds. These results provide further evidence that a principled Rowhammer mitigation, such as per-row activation counters, is mandatory for a secure operation of future devices.”
Defeating existing Rowhammer protections
Rowhammer is a method of intentionally causing disturbance errors, or bit flips, inside the tightly packed memory cells in modern DRAM chips. Since 2014, researchers have observed that rapid and repeated read operations on the same physical row of memory cells can cause electric charges to leak into adjacent rows changing the values stored in cells from 0 to 1 or the other way around. In 2015, researchers from Google showed that if performed in a controlled manner, this can have security implications, such as privilege escalation in operating systems between userspace and kernel or bypasses of process sandboxes.
Rowhammer and its various variations discovered since have primarily impacted DDR3 and DDR4 memory modules, with DDR5, a newer technology, using more sophisticated mechanisms to detect and correct disturbance errors. These mitigation mechanisms are known as Target Row Refresh (TRR) and involve detecting so-called aggressor rows that are being hammered and then refreshing the adjacent victim rows to correct any bit flips that might have occurred. TRRs are present in DDR4 as well, but in a less sophisticated and easier to defeat implementation.
TRRs are proprietary and not publicly documented, which is why previously attempted Rowhammer attacks against DDR5 had very limited success. But one Rowhammer attack dubbed Zenhammer disclosed in 2024 managed to trigger bit flips in one of 10 tested DDR5 DIMMs. By comparison, the new Phoenix attack managed to trigger bit flips in all tested DIMMs.
“Our reverse-engineering efforts show that significantly longer Rowhammer patterns are nowadays necessary to bypass these new protections,” the researchers said. “To trigger Rowhammer bit flips, such patterns need to remain in-sync with thousands of refresh commands, which is challenging. Our new Rowhammer attack, called Phoenix, resynchronizes these long patterns as necessary to trigger the first DDR5 bit flips in devices with such advanced TRR protections.”
Even though the researchers targeted only SK Hynix memory modules, the attack could have implications for other memory manufacturers as well, as the same reverse-engineering techniques documented in the paper could be applied to uncover their own proprietary TRRs and find Rowhammer patterns that defeat them.
To test the practicality of their exploit, the researchers devised three attacks: one that modified Page Table Entries (PTEs), one that leaked RSA-2048 keys used for SSH authentication from a virtual machine co-located on the same system; and an attack that escalated privileges to root on a Linux system through the sudo binary.
PTEs are used by the CPU’s memory management unit to map virtual memory addresses used by applications to locations in the physical memory where the data is stored. By forging PTEs an attacker can perform arbitrary read/write operations into memory regions they shouldn’t have access to.
All 15 modules were vulnerable to the PTE attack with an average attack time to trigger an exploitable bit flip of 2m 36s. For leaking the RSA-2048 key, the attack needed 6m 20s on average and succeeded on 11 of the 15 modules. The sudo binary attack succeeded on five modules and required an average time of 36m 55s.
However, the researchers note that both the RSA-2048 and sudo binary attacks would have likely succeeded on more devices if the hammering is increased to more than the 256MB limit they used in their tests.
A proof of concept exploit along with experiments related to this research have been released on GitHub.
Mitigations
One limitation of the attack is that it only works on AMD CPUs, as Intel CPUs also include additional pTRR mitigations that would need to be bypassed, and no technique has been developed so far to bypass the in-CPU pTRR mitigations.
One potential mitigation in existing modules is to triple the refresh rate, the researchers found, but this would degrade performance by introducing an 8.4% overhead. Also, while this would mitigate existing Phoenix row-hammering patterns, there’s no guarantee others couldn’t be found to bypass the faster refresh rate.
AMD also reportedly released a BIOS update for its CPUs that changes the memory controller’s refresh mode to Fine-Granularity Refresh (FGR), increasing the refresh rate and reducing the time dedicated to each refresh command. The research team did not get to test whether this stops Phoenix, but they do not believe this change will provide strong protection.
“We strongly recommend against deploying yet another obscure mitigation without a rigorous security analysis in future devices,” the researchers concluded. “Instead, the DRAM vendors must deploy TRR mitigations with principled guarantees. The new Per Row Activation Counting specification provides a possibility for implementing such principled mitigations inside DRAM.”
No Responses