VMScape: A New CPU Vulnerability Threatens Cloud Security

Researchers at ETH Zurich have unveiled a novel attack dubbed VMScape, bearing strong resemblance to Spectre and posing a significant threat to virtualization infrastructures. The attack enables a malicious virtual machine to extract cryptographic keys from the QEMU hypervisor process, running unmodified on modern AMD and Intel processors.

The central danger lies in its ability to bypass isolation between guest and host systems, functioning even with standard Spectre mitigations enabled and without compromising the host itself. In theory, an adversary would need only to rent a virtual machine from a cloud provider to begin siphoning secrets from the hypervisor or adjacent guest environments.

The vulnerability, tracked as CVE-2025-40300, affects all generations of AMD Zen processors from Zen 1 through Zen 5, as well as Intel Coffee Lake CPUs. More recent architectures, such as Raptor Cove and Gracemont, remain unaffected. According to the report, the flaw stems from incomplete isolation of branch prediction units (BPUs). This weakness allows a guest VM to manipulate branch predictions in the hypervisor’s execution flow via shared structures, including the Branch Target Buffer, Indirect Branch Predictor, and Branch History Buffer.

The attack is rooted in the Spectre-BTI (Branch Target Injection) technique. Researchers demonstrated that it is possible to misguide QEMU’s branching logic, coercing it into speculatively executing carefully crafted gadgets that expose secret data into a shared buffer. This buffer can then be accessed through the FLUSH+RELOAD side channel.

To extend the speculative execution window, the attacking VM leverages cache eviction sets on AMD Zen 4 processors, while ASLR bypass is achieved through branch collision searches and carefully chosen virtual addresses of the reload buffer. In practice, the researchers achieved a leakage rate of 32 bytes per second with 98.7% accuracy. This translates to extracting a 4 KB disk encryption key in just 128 seconds, or approximately 13 minutes when factoring in ASLR bypass.

The implications for cloud services are profound: virtualization underpins multi-tenant environments, and the ability of one guest VM to read hypervisor memory threatens the confidentiality of all other clients. Still, the attack demands advanced technical expertise, stable conditions, and considerable time, which reduces the immediate risk for everyday users.

The vulnerability was responsibly disclosed to AMD and Intel on June 7, 2025. AMD has since issued a security advisory, while Linux kernel developers have implemented a safeguard: upon switching from guest to host, the system now enforces the IBPB (Indirect Branch Prediction Barrier) to flush prediction buffers. According to researchers, this mitigation introduces negligible performance overhead under typical workloads.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy