Phoenix: A New Rowhammer Attack Bypasses DDR5 Protections
Researchers from COMSEC, in collaboration with Google engineers, have uncovered a novel Rowhammer variant capable of circumventing protections in contemporary SK Hynix DDR5 modules — the flaw has been assigned CVE-2025-6202. The team demonstrated a technique dubbed Phoenix, which exploits gaps in the target-row refresh mechanism and synchronizes attacks with thousands of refresh cycles to induce unintended bit flips within the chips.
Rowhammer works by repeatedly accessing rows adjacent to a target row, generating electrical interference that flips bits — an avenue for attackers to corrupt data, escalate privileges, or execute arbitrary code. Chipmakers mitigated such threats by implementing Target Row Refresh (TRR), a defense that issues extra refreshes when suspicious activity is detected. The Phoenix authors, however, reverse-engineered Hynix’s implementation and identified refresh intervals that escape TRR’s monitoring. To compensate for those unprotected windows, Phoenix employs a self-calibrating synchronization mechanism and finely tuned “strike” patterns across refresh intervals — notably templates spanning 128 and 2,608 intervals compressed into precise activation slots.
In laboratory tests the vulnerability manifested across all 15 Hynix DDR5 modules examined. The short 128-interval pattern proved most effective, producing the highest average rate of bit flips. On a stock DDR5 kit with default settings an attacker could obtain root privileges in under two minutes. Simulated real-world scenarios revealed further risks: attempts to corrupt page-table entries compromised all tested products; efforts to exfiltrate RSA-2048 keys from a neighboring virtual machine succeeded on 73% of DIMMs; and modifying the sudo binary to escalate local privileges worked on 33% of chips.
The researchers emphasize that affected modules were manufactured between January 2021 and December 2024 and that the flaw stems from intrinsic DRAM architectural limits that cannot be fully rectified for already-shipped hardware. As a stopgap, they propose tripling the DRAM refresh interval (tREFI), though this mitigation risks system instability and increased error rates. The technical paper has been published and will be presented at the forthcoming IEEE Symposium on Security and Privacy; reproduction materials and a proof-of-concept repository are available on GitHub.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
