Full Report
Academic researchers have devised a new variant of Rowhammer attacks that bypass the latest protection mechanisms on DDR5 memory chips from SK Hynix. [...]
Analysis Summary
# Vulnerability: Phoenix Rowhammer Attack Bypasses DDR5 Defenses
## CVE Details
- CVE ID: CVE-2025-6202
- CVSS Score: High (Specific score not provided, but noted as "high-severity")
- CWE: Not explicitly stated, related to hardware/memory manipulation.
## Affected Systems
- Products: DDR5 memory modules (specifically tested on SK Hynix products, but risk may extend to other vendors).
- Versions: All DIMM RAM modules produced between January 2021 and December 2024.
- Configurations: Commodity DDR5 systems with default settings.
## Vulnerability Description
The Phoenix attack is a new variant of the Rowhammer attack designed to bypass the Target Row Refresh (TRR) mitigation implemented in DDR5 memory chips. Rowhammer exploits electrical interference caused by rapid accessing of specific memory rows to flip electrical values (bits) in adjacent rows. Researchers reverse-engineered the Hynix implementation of TRR and found specific refresh intervals were not sampled or monitored. The Phoenix attack utilizes precise timing and synchronization, covering 128 and 2608 specific refresh intervals, to hammer activation slots only at precise moments to induce bit flips despite the TRR protection mechanism.
## Exploitation
- Status: PoC available (Researchers created the first Rowhammer privilege escalation exploit and shared resources).
- Complexity: Low (A privilege escalation exploit was demonstrated in less than two minutes on a commodity system with default settings).
- Attack Vector: Adjacent or Local (Implied, as memory attacks typically require some level of code execution or access, leading to local escalation).
## Impact
- Confidentiality: High potential (Exploits demonstrated the ability to break SSH authentication by targeting co-located VM page-table entries to gain arbitrary memory read/write primitives).
- Integrity: High potential (Successfully altered the `sudo` binary to gain root privileges on 33% of tested chips).
- Availability: Potential risk due to instability from workarounds.
## Remediation
### Patches
- No specific vendor patches are mentioned as Rowhammer is an industry-wide hardware problem that cannot be corrected in existing memory modules.
### Workarounds
- Tripling the DRAM refresh interval (tREFI) can stop Phoenix attacks.
- **Warning:** This workaround can stress the system, potentially causing errors or data corruption and rendering the system unstable.
## Detection
- Indicators of Compromise: System instability, unexpected data corruption, or evidence of elevated privilege changes originating from applications interacting with memory at a low level.
- Detection Methods and Tools: Resources shared by researchers include FPGA-based tools to reverse-engineer TRR implementations, suggesting custom hardware monitoring or advanced memory scanning might be necessary for detection, though specific public detection tools are not detailed.
## References
- Technical Paper: `hXXps://comsec-files.ethz.ch/papers/phoenix_sp26.pdf`
- Proof-of-Concept Repository: `hXXps://github.com/comsec-group/phoenix`