- The Phoenix Rowhammer variant affects DDR5 desktop systems, without going through all known mitigations in SK Hynix chips
- Attackers can get access to the root and steal RSA keys in minutes using the default system configuration
- Researchers recommend tripling update rates, since DRAM devices cannot patch and continue to be vulnerable in the long term
Standard production desktop systems were found, for the first time, vulnerable to a Rowhammer variant, a hardware -based security vulnerability that affects DDR5 chips.
Rowhammer affects the dynamic chips of random access memory (DRAM) and allows the attackers to manipulate the content of the memory repeatedly accessing – “hammer” – a specific row of memory cells.
This causes electrical interference that can turn bits in adjacent rows, without really accessing those ranks, and results in a climb of privileges, remote feats and different mobile vulnerabilities.
Privilege climb and access to the root
Vulnerability was first seen more than a decade ago, and has been addressed through patches several times. However, as RAM chips improve, and memory cells come together more, increase the risk of Rowhammer attacks.
The last discovery is called Phoenix and is traced as CVE-2025-6202. It was given a gravity score of 7.1/10 (high), and successfully avoids all known mitigations in chips built by the South Korean semiconductor manufacturer, SK Hynix.
“We have shown that reliably triggering Rowhammer’s bits on SK Hynix DDR5 devices is possible on a larger scale,” said Eth Zürich. “We also show that ECC in death does not stop Rowhammer, and Rowhammer end attacks are still possible with DDR5.”
The researchers claim that they can activate the privilege escalation and obtain access to the root in a DDR5 system with default configurations in less than two minutes. Practical use includes stealing RSA-2048 keys of a virtual machine located together, thus breaking the SSH authentication. A separate scenario includes the use of the sudo binary to increase local privileges to the root user.
“As DRAM devices in nature cannot be updated, they will continue to be vulnerable for many years,” analysts said in the document. “We recommend increasing the 3x update rate, which prevented Phoenix from activating bit charts in our test systems.” In this context, it may be worth mentioning that after Rowhammer was revealed for the first time in 2014, suppliers such as Intel and DRAM manufacturers introduced higher update rates and update mechanisms of the destination row (TRR) as mitigation measures.
Through The hacker news
