Flipping one bit leaves AMD CPUs open to VM vuln

Fix landed in July, but OEM firmware updates are required

by · The Register

If you use virtual machines, there's reason to feel less-than-Zen about AMD's CPUs. Computer scientists affiliated with the CISPA Helmholtz Center for Information Security in Germany have found a vulnerability in AMD CPUs that exposes secrets in its secure virtualization environment.

The flaw, dubbed StackWarp, potentially allows a malicious insider who controls a host server to access sensitive data within AMD SEV-SNP guests through attacks designed to recover cryptographic private keys, bypass OpenSSH password authentication, and escalate privileges.

AMD was informed about the vulnerability (CVE-2025-29943), made patches available in July 2025, and has now published a security bulletin designating the issue as low severity.

StackWarp demonstrates yet again that it's difficult to guarantee that virtual computing resources remain isolated from one another on common hardware. It exploits a flaw in the microarchitecture designed to accelerate stack operations.

"The vulnerability can be exploited via a previously undocumented control bit on the hypervisor side," said CISPA researcher Ruiyi Zhang in a statement provided to The Register. "An attacker running a hyperthread in parallel with the target VM can use this to manipulate the position of the stack pointer inside the protected VM."

The attack scenario applies to AMD SEV-SNP [PDF], a successor to AMD Secure Encrypted Virtualization (SEV) and SEV-ES (Encrypted State), when Simultaneous Multithreading (SMT) has been enabled.

SEV-SNP is designed to isolate virtual machines from the hypervisor, the software that manages VMs on physical hardware. SMT allows a CPU core to run multiple threads at the same time. As AMD observes, SMT enables the sharing of core resources between two threads, "making it a tempting possible target for exploits such as side-channel attacks."

AMD SEV-SNP, like Intel TDX, is used by cloud providers to offer confidential virtual machines (CVMs) that promise, as Microsoft puts it, "robust hardware-based isolation between virtual machines, hypervisor, and host management code."

On AMD Zen CPUs, that promise could be undone with a single bit flip.

CISPA researchers Ruiyi Zhang, Tristan Hornetz, Daniel Weber, Fabian Thomas, and Michael Schwarz report that they were able to abuse the stack engine on AMD Zen CPUs in a way that breaks CVMs.

They describe their findings in a paper [PDF] titled, "StackWarp: Breaking AMD SEV-SNP Integrity via Deterministic Stack-Pointer Manipulation through the CPU's Stack Engine." The paper is scheduled for publication at USENIX Security 2026.

The stack refers to the memory structure computers use to manage operations involving function calls, local variables, and return addresses. The top of the stack gets tracked with a CPU register called the stack pointer.

The CPU frontend handles the fetching and processing of instructions, which would typically require querying the CPU backend to get the stack pointer updates. As noted by the researchers, AMD and Intel CPUs implement a stack engine on the CPU frontend that tracks stack pointer changes (delta) in order to reduce the need for synchronization between frontend and backend.

"At a high level, the stack engine tracks a running stack-pointer delta so common stack operations complete efficiently," the researchers explain in their paper. "Our measurements show that disabling the engine while stack operations are in flight 'freezes' the accumulated delta such that stores commit, but the architectural stack-pointer update is withheld."

Basically, by flipping a bit – bit 19 of the undocumented core-scoped model-specific register (MSR) 0xC0011029 – the attacker can break the synchronization between logical sibling cores and can corrupt a synchronized sibling thread.

Using this technique, the researchers say that they were able to recover an RSA-2048 private key, bypass OpenSSH password authentication, bypass sudo password authentication, and obtain ring 0 code execution by modifying the kernel stack.

"These findings indicate that keeping SMT enabled today undermines SEV-SNP's integrity goals: a sibling core can change a guest's control and data flow through a shared frontend switch with instruction-level precision," the researchers conclude.

So be sure to install any updates or patches AMD has made available.

Proof-of-concept exploit code has been published to GitHub. ®

A simple CodeBuild flaw put every AWS environment at risk – and pwned 'the central nervous system of the cloud': And it's 'not unique to AWS,' researcher tells The RegJessica Lyons, 15 Jan 2026Windows App forgets how to log in with first security update of the year: January patch trips up Azure Virtual Desktop and Windows 365 authenticationRichard Speed, 15 Jan 2026Teach an AI to write buggy code, and it starts fantasizing about enslaving humans: Research shows erroneous training in one domain affects performance in another, with concerning implicationsLindsay Clark, 15 Jan 2026New Linux malware targets the cloud, steals creds, and then vanishes: Cloud-native, 37 plugins … an attacker's dreamJessica Lyons, 14 Jan 2026