If you thought the world was done with side-channel CPU attacks, think again. ETH Zurich has identified yet another Spectre-based transient execution vulnerability that affects AMD Zen CPUs and Intel Coffee Lake processors by breaking virtualization boundaries.
The attack, dubbed VMSCAPE (CVE-2025-40300), is said to be the first Spectre-based exploit that allows a malicious guest user in a cloud environment to leak secrets from the hypervisor in the host domain without code changes – injected Return-oriented programming gadgets – and in default configuration.
The technique is described in a paper [PDF] published on Thursday, “VMSCAPE: Exposing and Exploiting Incomplete Branch Predictor Isolation in Cloud Environments,” by Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi. The paper is set to be presented at the 47th IEEE Symposium on Security and Privacy.
Cloud computing depends upon virtualization to securely partition physical computing resources into virtual ones, managed by a hypervisor. VMSCAPE targets the Kernel Virtual Machine (KVM) and QEMU (Quick Emulator), as the hypervisor and as the userspace component of the hypervisor in the host.
“VMSCAPE can leak the memory of the QEMU process at the rate of 32 B/s on AMD Zen 4,” the authors state in their paper. “We use VMSCAPE to find the location of secret data and leak the secret data, all within 772 s, extracting the cryptographic key used for disk encryption/decryption as an example.”
AMD Zen 1-5 processors are affected, as are Intel Coffee Lake processors, which debuted in 2017. Hardware fixes aren’t feasible, the authors say, so Linux maintainers have addressed the issue in software. This comes at a cost, however, in terms of performance overhead.
Spectre, a set of vulnerabilities based on processor microarchitecture, has allowed attackers to access sensitive host memory to varying degrees since its disclosure in 2018, alongside another flaw known as Meltdown.
- Bug bounties: The good, the bad, and the frankly ridiculous ways to do it
- Intel ghosts researcher who found web apps spilled 270K staff records
- Torvalds blasts tardy kernel dev: Your ‘garbage’ RISC-V patches are ‘making the world worse’
- AMD warns of new Meltdown, Spectre-like bugs affecting CPUs
One of these is known as Spectre v2 or Branch Target Injection, a way to abuse CPU indirect branch predictors, which control speculative execution – executing predicted instructions before they’re called for in code, in order to improve performance.
Various mitigations have been developed and deployed to defend against Spectre-based attacks, generally at the cost of performance. These include: Indirect Branch Restricted Speculation (IBRS), Enhanced IBRS (eIBRS), Automatic IBRS (AutoIBRS), Indirect Branch Prediction Barrier (IBPB), and Single Threaded Indirect Branch Predictor (STIBP).
But, to date, Spectre v2 attacks have not had much impact because, as the authors note, they assume the attacker has the ability to run local code on the user’s system.
The ETH Zurich boffins took a look at the way AMD and Intel processors handle host-guest boundaries and found the separation isn’t sufficient on AMD Zen CPUs and older Intel CPUs. The branch target buffer (BTB) entries between host and guest are not isolated, so the branch predictor mingles predictions across host and guest domains. VMSCAPE exploits this with the help of a set of new attack primitives that the researchers call vBTI (virtualization Branch Target Injection).
An AMD spokesperson told The Register that a Security Brief will be issued that acknowledges the potential vulnerability. But the fix will be in software.
In a statement provided to The Register, an Intel spokesperson said, “Existing mitigations on Intel processors can be used to mitigate this issue. Intel has previously provided guidance for Branch Target Injection (BTI), Branch History Injection (BHI), and Indirect Target Selection (ITS), and Intel engineers are working with Linux to ensure that the appropriate mitigations for these issues as described in these guidance documents are applied to Linux userspace hypervisor software. Linux mitigations are expected to be available on the VMSCAPE public disclosure date, and a CVE for this issue will be assigned by Linux.”
The Linux patch, we’re told, will be ported to various Linux distributions after its release.
The authors proposed a mitigation called “IBPB-on-VMExit” that Linux developers have optimized under the name “IBPB before exit to userspace.” According to the researchers, the overhead depends on the workload and the frequency of userspace exits.
“For emulated devices (default for QEMU), userspace exits are much more frequent than for virtualized devices (commonly used in enterprise systems),” the authors observe in a summary note. “Our benchmarking indicates an overhead of ~10 percent when using an emulated device.”
With Zen 4, the authors’ benchmark testing suggests “a marginal 1 percent overhead” post-patch.
The Linux mitigation is said to be active for all affected systems, including Zen 5 and even recent Intel CPUs that were not exploitable such as Lunar Lake and Granite Rapids. ®
