Full Report
A new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs. [...]
Analysis Summary
# Vulnerability: VMScape CPU Side-Channel Attack Breaks Guest-Host Isolation on AMD/Intel CPUs
## CVE Details
- CVE ID: CVE-2025-40300
- CVSS Score: Information not specified, but context suggests High severity due to memory disclosure across tenants.
- CWE: CWE-203 (Information Exposure Through Side Channel) likely applies.
## Affected Systems
- Products: QEMU hypervisor (target), AMD CPUs, Intel CPUs.
- Versions: All AMD processors from Zen 1 to Zen 5. Intel's "Coffee Lake" CPUs.
- Configurations: Requires unmodified virtualization software with default hardware mitigations enabled.
## Vulnerability Description
VMScape is a Spectre-like side-channel attack that allows a malicious Guest Virtual Machine (VM) to leak memory contents from the unmodified QEMU hypervisor process running on the host CPU. The attack exploits incomplete isolation in shared Branch Prediction Units (BPU) structures (BTB, IBP/ITA, BHB) between the guest and the host speculative execution environments. By leveraging speculative execution (specifically, a Spectre-BTI attack) to misguide an indirect branch in QEMU, the attacker forces the hypervisor to speculatively execute a disclosure gadget that leaks secret data into a shared cache line. A 'FLUSH+RELOAD' cache side channel is then used to exfiltrate this data. The attack bypasses existing Spectre mitigations and successfully defeats ASLR by probing for branch collisions.
## Exploitation
- Status: Research/Proof-of-Concept demonstrated by researchers; not explicitly stated as exploited in the wild.
- Complexity: High (Requires overcoming ASLR, building eviction sets, and precise side-channel timing).
- Attack Vector: Network (via a compromised guest VM).
## Impact
- Confidentiality: High (Leaked arbitrary memory data from QEMU, potentially including cryptographic keys from the hypervisor or other VMs).
- Integrity: Low (Primarily an information disclosure vulnerability).
- Availability: Low (Minimal impact on service availability unless sustained execution exhausts resources).
Data Leak Rate: ~32 bytes/second with 98.7% byte-level accuracy. Leak of a 4KB secret (like a disk encryption key) estimated in 128 seconds of leakage time, or 772 seconds end-to-end including ASLR bypass.
## Remediation
### Patches
- Vendor: AMD and Intel were notified on June 7, 2025.
- Linux Kernel: Patches have been released that mitigate VMScape by adding an **IBPB (Indirect Branch Prediction Barrier) on VMEXIT**. This flushes the BPU state when switching from the guest to the host environment.
### Workarounds
- Researchers implied that running on unaffected Intel CPUs ("Raptor Cove" and "Gracemont") is a mitigation, though this is not a general workaround.
## Detection
- Indicators of Compromise: High-frequency cache access patterns indicative of FLUSH+RELOAD attacks originating from a guest context, coupled with CPU state transitions (VMEXIT).
- Detection methods and tools: Monitoring for extensive branch prediction unit flushing behavior or side-channel manipulation attempts originating from guest VMs targeting host process execution flow. Standard anti-Spectre tooling may be insufficient due to the attack vector targeting shared BPU components across the virtualization boundary.
## References
- Vendor Advisories: AMD and Intel have acknowledged the issue (details pending full disclosure/tracking).
- Relevant links:
- Original research reports from ETH Zurich: `comsec[.]ethz[.]ch/vmscape`