The Single-Bit Breach: StackWarp Flaw Shatters AMD’s Confidential Computing

Researchers at the CISPA Helmholtz Center for Information Security in Germany have unearthed a critical vulnerability within AMD processors that jeopardizes the sanctity of data in fortified virtual environments. This flaw compromises AMD SEV-SNP technology, a framework architected specifically to insulate virtual machines from the host hypervisor.

Designated as StackWarp, this vulnerability empowers an adversary with host-server access to exfiltrate confidential intelligence from AMD SEV-SNP guest systems. During their empirical investigations, researchers successfully extracted a private RSA-2048 key, bypassed password authentication for both OpenSSH and sudo, and achieved arbitrary code execution at the kernel level.

AMD was formally apprised of the defect (CVE-2025-29943), disseminated patches in July 2025, and has recently published a security bulletin, though it notably characterizes the severity of the issue as “low.”

The incursion exploits the nuances of the stack engine within AMD Zen processors. The stack is a pivotal memory structure utilized by computing systems to manage function calls, local variables, and return addresses, with its pinnacle monitored by a specialized register known as the stack pointer. To augment performance, both AMD and Intel implement a stack engine within the processor’s front-end to track pointer modifications. The researchers discovered that toggling a single bit—Bit 19 within the undocumented MSR 0xC0011029 register—desynchronizes logical cores and corrupts the data of a neighboring execution thread.

“The vulnerability is exploitable via a previously clandestine control bit on the hypervisor side,” elucidated CISPA researcher Ruyi Zhang. “An attacker executing a hyper-thread in tandem with the target virtual machine can manipulate the stack pointer’s position within the fortified VM.”

This assault is facilitated by Simultaneous Multithreading (SMT), which permits a single processor core to execute multiple threads concurrently. AMD concedes that SMT necessitates the sharing of core resources between threads, rendering the technology a perennial target for sophisticated side-channel attacks.

Technologies such as AMD SEV-SNP and Intel TDX are leveraged by cloud service providers to offer “confidential computing” instances, promising immutable hardware isolation between the virtual machine, the hypervisor, and the host’s administrative code. StackWarp demonstrates that this pledge of security can be shattered by the mere flipping of a single bit.

The researchers have detailed their revelations in a scholarly paper slated for presentation at the USENIX Security 2026 conference, and the exploit code has already been made available via GitHub. They conclude that current implementations of SMT fundamentally undermine the integrity objectives of SEV-SNP, as a neighboring core can alter a guest system’s control and data flow with instruction-level precision. System administrators are strongly exhorted to implement the latest microcode updates provided by AMD.