Redazione RHC : 20 September 2025 15:33
Anew variant of Rowhammer attacks has been developed that can bypass the latest security mechanisms in SK Hynix DDR5 chips. Dubbed Phoenix, the attack allows root access to DDR5-based systems in less than two minutes.
Recall that the original Rowhammer attack was devised by experts at Carnegie Mellon University in 2014. Its essence lies in the fact that intense manipulation of some memory cells can cause a change in the state of bits in adjacent cells.
Memory cells store information in the form of electrical charges, which determine the value of the bits within them, i.e., 1 or 0. Due to the increased density of the cells, repeated “hammer blows” (when an application accesses the same areas thousands of times in a fraction of a second) can change the charge state in adjacent rows, causing “bit flips.”Hence the name “Rowhammer.”
One of the defense mechanisms against Rowhammer attacks is called Target Row Refresh (TRR). It prevents bit flipping by triggering additional row updates when frequent accesses to a specific row are detected.
The Phoenix rowhammer attack was developed by Google and the COMSEC team at the Swiss Federal Institute of Technology in Zurich (ETH Zurich). The report notes that the attack was tested on DDR5 memory chips from Hynix (one of the largest memory chip manufacturers, with a market share of approximately 36%), but Phoenix could also threaten products from other manufacturers.
After analyzing the sophisticated defenses implemented by Hynix to protect against Rowhammer attacks and examining their In its operation, the researchers discovered that some update intervals were not monitored by defenses, which could have been exploited by a hypothetical attacker.
The experts also developed a method that allows Phoenix to track and synchronize thousands of update operations, performing self-correction when missing ones are detected. To bypass TRR protection, Phoenix spans refresh intervals of 128 and 2608 and only acts on specific activation slots at specific times.
As a result, the researchers were able to “flip” the bits on all 15 DDR5 memory chips in the test pool and create a privilege escalation exploit using Rowhammer. Tests showed that obtaining a root shell “on a typical DDR5 system with default settings” took just 109 seconds.
The Phoenix authors also explored the potential practical application of this attack to gain control of a target system. They found that when targeting PTEs to create arbitrary read/write primitives, all tested products had the vulnerability. In another test, the researchers targeted virtual machine RSA-2048 keys to crack SSH authentication and found that 73% of DIMMs were vulnerable to this attack.
In a third experiment, the researchers found that they could modify the sudo binary to elevate local privileges to root on 33% of the tested chips. As the table shows, all tested memory chips were vulnerable to at least one of the Phoenix attack’s Rowhammer patterns. The shorter pattern, with refresh intervals of 128, proved more effective and generated more flips on average.
The Phoenix issue has been assigned the identifier CVE-2025-6202, and attackers warn that it affects all RAM DIMMs manufactured between January 2021 and December 2024.
Although Rowhammer is an industry-wide security issue and cannot be patched in currently shipping memory modules, users can protect themselves from Phoenix by tripling the DRAM refresh interval (tREFI). However, it has been noted that this can cause errors and data corruption, resulting in overall system instability.
In addition to a detailed report on the new attack, researchers have published everything needed to reproduce Phoenix on GitHub. The repository includes FPGA experiments for reversing TRR implementations and proof-of-concept exploit code.
Redazione