Researchers from Google and Swiss university ETH Zurich have found a new class of Rowhammer vulnerability that could allow attackers to access info stored in DDR5 memory.
As Google explains in its post on the discovery, DRAM stores data as electrical charges in small “cells” of memory. Those charges leak over time, corrupting data. Computer scientists have known this for ages, and the controllers that manage memory therefore periodically refresh cells to ensure memory remains reliable.
Infosec types with friendly and/or adversarial inclinations noticed that behavior and wondered what would happen if they repeatedly accessed specific rows of memory cells. They learned that by “hammering” those rows of cells with many access requests it’s possible to corrupt data in adjacent cells, degrade system performance, or even achieve privilege escalation.
Rowhammer is a known problem and infosec researchers long ago developed defenses that system builders and memory-makers adopted. Last year, standards body the JEDEC Solid State Technology Association introduced a new DRAM data integrity measure called Per-Row Activation Counting (PRAC) that looks for the sort of activity involved in a Rowhammer attack and pauses traffic to stymie hostile action.
Google’s researchers, however, assert that systems that include DDR5 have not employed PRAC. The web giant also created a pair of tools to test DDR5 modules for susceptibility to Rowhammer.
Researchers at ETH Zurich put those tools to work and found a new form of Rowhammer attack that works on DDR5 from SK Hynix, the world’s largest memory-maker.
The attack, called “Phoenix”, isn’t simple and is computationally expensive. But it works.
And that’s worrying because the paper [PDF] that describes the joint Google/ETH research opens by observing “DDR5 has shown an increased resistance to Rowhammer attacks in production settings. Surprisingly, DDR5 achieves this without additional refresh management commands.”
Google and ETH Zurich found their Rowhammer variant using a machine powered by an AMD Zen 4 processor and SK Hynix DDR5 and will attempt to replicate their work on memory and CPUs from other vendors.
If the researchers succeed it’s not a disgrace for impacted manufacturers because Rowhammer-style attacks are hard to defeat, with recent victims including Nvidia, DDR4 and everyone’s privacy thanks to a Rowhammer variant that makes it possible to fingerprint computing devices.
The attack discovered by Google and ETH Zurich is now known as CVE-2025-6202 and earned a 7.1 CVSS rating.
ETH Zurich says it conducted responsible disclosure of Phoenix that saw it inform SK Hynix, CPU vendors, and major cloud providers on June 6, 2025. AMD told the researchers it made a BIOS update to protect systems that use its processors. More information, including the source code for all the experiments and the exploit, can be found here. ®