New Phoenix RowHammer attack cracks open DDR5 memory defenses in minutes

News
By published

It took researchers less than two minutes to crack open a computer

Computer memory RAM on motherboard background . Close up. system, main memory, random access memory, onboard, computer detail. Computer components . DDR3. DDR4. DDR5
(Image credit: Shutterstock)
  • Phoenix RowHammer variant affects DDR5 desktop systems, bypassing all known mitigations on SK Hynix chips
  • Attackers can gain root access and steal RSA keys within minutes using default system settings
  • Researchers recommend tripling refresh rates, as DRAM devices cannot be patched and remain vulnerable long-term

Standard, production-grade desktop systems were, for the first time ever, found vulnerable to a variant of RowHammer, a hardware-based security vulnerability affecting DDR5 chips.

RowHammer affects Dynamic Random-Access Memory (DRAM) chips and allows attackers to manipulate memory contents by repeatedly accessing - “hammering” - a specific row of memory cells.

This causes electrical interference that can flip bits in adjacent rows, without actually accessing those rows, and results in privilege escalation, remote exploits, and different mobile vulnerabilities.

Privilege escalation and root access

The vulnerability was first spotted more than a decade ago, and has been addressed through patches multiple times. However, as RAM chips get better - and memory cells get squeezed closer together - the risk of RowHammer attacks increases.

The latest discovery is called Phoenix, and is tracked as CVE-2025-6202. It was given a severity score of 7.1/10 (high), and successfully bypasses all known mitigations on chips built by South Korean semiconductor manufacturer SK Hynix.

"We have proven that reliably triggering RowHammer bit flips on DDR5 devices from SK Hynix is possible on a larger scale," ETH Zürich said. "We also proved that on-die ECC does not stop RowHammer, and RowHammer end-to-end attacks are still possible with DDR5."

The researchers are claiming they can trigger privilege escalation and gain root access on a DDR5 system with default settings in less than two minutes. Practical use includes stealing RSA-2048 keys of a co-located virtual machine, thus breaking SSH authentication. A separate scenario includes using the sudo binary to escalate local privileges to the root user.

"As DRAM devices in the wild cannot be updated, they will remain vulnerable for many years," the analysts said in the paper. "We recommend increasing the refresh rate to 3x, which stopped Phoenix from triggering bit flips on our test systems." In this context, it is perhaps worth mentioning that after RowHammer was first disclosed in 2014, vendors like Intel and DRAM manufacturers introduced increased refresh rates and target row refresh (TRR) mechanisms as mitigation measures.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.