- Phoenix RowHammer variant affects DDR5 desktop systems, bypassing all known mitigations on SK Hynix chips
- Attackers can gain root access and steal RSA keys within minutes using default system settings
- Researchers recommend tripling refresh rates, as DRAM devices cannot be patched and remain vulnerable long-term
Standard, production-grade desktop systems were, for the first time ever, found vulnerable to a variant of RowHammer, a hardware-based security vulnerability affecting DDR5 chips.
RowHammer affects Dynamic Random-Access Memory (DRAM) chips and allows attackers to manipulate memory contents by repeatedly accessing – “hammering” – a specific row of memory cells.
This causes electrical interference that can flip bits in adjacent rows, without actually accessing those rows, and results in privilege escalation, remote exploits, and different mobile vulnerabilities.
Privilege escalation and root access
The vulnerability was first spotted more than a decade ago, and has been addressed through patches multiple times. However, as RAM chips get better – and memory cells get squeezed closer together – the risk of RowHammer attacks increases.
The latest discovery is called Phoenix, and is tracked as CVE-2025-6202. It was given a severity score of 7.1/10 (high), and successfully bypasses all known mitigations on chips built by South Korean semiconductor manufacturer SK Hynix.
“We have proven that reliably triggering RowHammer bit flips on DDR5 devices from SK Hynix is possible on a larger scale,” ETH Zürich said. “We also proved that on-die ECC does not stop RowHammer, and RowHammer end-to-end attacks are still possible with DDR5.”
The researchers are claiming they can trigger privilege escalation and gain root access on a DDR5 system with default settings in less than two minutes. Practical use includes stealing RSA-2048 keys of a co-located virtual machine, thus breaking SSH authentication. A separate scenario includes using the sudo binary to escalate local privileges to the root user.
“As DRAM devices in the wild cannot be updated, they will remain vulnerable for many years,” the analysts said in the paper. “We recommend increasing the refresh rate to 3x, which stopped Phoenix from triggering bit flips on our test systems.” In this context, it is perhaps worth mentioning that after RowHammer was first disclosed in 2014, vendors like Intel and DRAM manufacturers introduced increased refresh rates and target row refresh (TRR) mechanisms as mitigation measures.
Via The Hacker News
