Researchers from ETH Zurich have unveiled Phoenix, a new Rowhammer attack that successfully bypasses in-DRAM mitigations in all tested SK Hynix DDR5 devices, exposing billions of systems to memory corruption and privilege escalation.
The team writes, “We demonstrate with Phoenix that all DDR5 devices from SK Hynix, currently the largest DRAM manufacturer, are still vulnerable to a new variant of Rowhammer attacks.”
The researchers reverse-engineered SK Hynix’s Target Row Refresh (TRR) protections, which were designed to counter Rowhammer. While these mitigations resisted known attack patterns, the team identified blind spots:
“To identify blind spots in the new mitigations, we conducted a series of carefully designed experiments, which revealed that the mitigation does not sample certain refresh intervals. This allowed us to craft two novel Rowhammer patterns that effectively bypass these deployed mitigations.”
The breakthrough came from studying refresh intervals at a granular level, revealing that some intervals were only lightly sampled or not sampled at all—creating exploitable windows.
From this analysis, the team derived two new Rowhammer patterns:
- A shorter pattern (128 tREFI intervals), which was 2.62x more effective and led to thousands of bit flips.
- A longer pattern (2608 tREFI intervals), designed to cover more refresh intervals.
As the researchers explain, “In total, we reverse-engineered two devices, resulting in two new Rowhammer patterns, which together bypass the mitigations of all 15 DDR5 devices from SK Hynix of our test pool.”
They also introduced a self-correcting refresh synchronization method that keeps the hammering patterns aligned with DRAM refresh cycles—an essential step since Phoenix patterns are up to 163x longer than existing Rowhammer patterns.
ETH Zurich demonstrated that Phoenix is not just a lab curiosity—it can be weaponized in real-world attacks:
“We also demonstrate that the bit flips are exploitable by building the first Rowhammer privilege escalation exploit running in default settings on a PC in as little as 109 seconds.”
Exploits tested include:
- Page Table Entry (PTE) corruption, granting arbitrary memory read/write (all DIMMs vulnerable).
- RSA-2048 key extraction from co-located VMs (73% of DIMMs vulnerable).
- Privilege escalation via sudo binary modification (33% of DIMMs vulnerable).
In one case, they achieved root privileges in just over 5 minutes.
Despite the promises of stronger mitigations and on-die ECC, the findings show Rowhammer is far from solved.
The team warns, “We have proven that reliably triggering Rowhammer bit flips on DDR5 devices from SK Hynix is possible on a larger scale. We also proved that on-die ECC does not stop Rowhammer, and Rowhammer end-to-end attacks are still possible with DDR5.”
Because DRAM hardware cannot be patched, affected devices will remain vulnerable for years. The only mitigation ETH Zurich validated was tripling the refresh rate, which stopped Phoenix but at an 8.4% performance cost.
Phoenix was disclosed responsibly to SK Hynix, CPU vendors, and cloud providers in June 2025. The issue, now tracked as CVE-2025-6202. Google also supported the research, publishing a security blog alongside ETH Zurich’s paper.
- GPUHammer: First Rowhammer Attack on GDDR6 GPU Memory Induces Bit Flips, Degrades AI Models
- Phoenix Contact Industrial Switch Exposes High Risk Vulnerabilities
- Critical Vulnerabilities Found in Phoenix Contact Charging Controllers
- Critical Flaws in Phoenix Contact EV Charging Controllers Expose Infrastructure to Remote Code Execution and Unauthorized Access
- South Korea Fines SK Telecom $96.5M Over Massive Data Breach
