A team of academics from ETH Zürich and Google has discovered a new variant of a RowHammer attack targeting Double Data Rate 5 (DDR5) memory chips from South Korean semiconductor vendor SK Hynix.
The RowHammer attack variant, codenamed Phoenix (CVE-2025-6202, CVSS score: 7.1), is capable of bypassing sophisticated protection mechanisms put in place to resist the attack.
"We have proven that reliably triggering RowHammer bit flips on DDR5 devices from SK Hynix is possible on a larger scale," ETH Zürich said. "We also proved that on-die ECC does not stop RowHammer, and RowHammer end-to-end attacks are still possible with DDR5."
RowHammer refers to a hardware vulnerability where repeated access of a row of memory in a DRAM chip can trigger bit flips in adjacent rows, resulting in data corruption. This can be subsequently weaponized by bad actors to gain unauthorized access to data, escalate privileges, or even cause a denial-of-service.
Although first demonstrated in 2014, future DRAM chips are more likely to be susceptible to RowHammer attacks as DRAM manufacturers depend on density scaling to increase DRAM capacity.
In a study published by ETH Zürich researchers in 2020, it was found that "newer DRAM chips are more vulnerable to RowHammer: as device feature size reduces, the number of activations needed to induce a RowHammer bit flip also reduces."
Further research into the subject has demonstrated that the vulnerability has several dimensions to it and that it's sensitive to several variables, including environmental conditions (temperature and voltage), process variation, stored data patterns, memory access patterns, and memory control policies.
Some of the primary mitigations for RowHammer attacks include Error Correction Code (ECC) and Target Row Refresh (TRR). However, these countermeasures have been proven to be ineffective against more sophisticated attacks like TRRespass, SMASH, Half-Double, and Blacksmith.
The latest findings from ETH Zürich and Google show that it's possible to bypass advanced TRR defenses on DDR5 memory, opening the door for what the researchers call the "first-ever RowHammer privilege escalation exploit on a standard, production-grade desktop system equipped with DDR5 memory."
In other words, the end result is a privilege escalation exploit that obtains root on a DDR5 system with default settings in as little as 109 seconds. Specifically, the attack takes advantage of the fact that mitigation does not sample certain refresh intervals to flip bits on all 15 DDR5 memory chips in the test pool that were produced between 2021 and 2024.
Potential exploitation scenarios involving these bit flips allow for targeting RSA-2048 keys of a co-located virtual machine to break SSH authentication, as well as using the sudo binary to escalate local privileges to the root user.
"As DRAM devices in the wild cannot be updated, they will remain vulnerable for many years," the researchers said. "We recommend increasing the refresh rate to 3x, which stopped Phoenix from triggering bit flips on our test systems."
The disclosure comes weeks after research teams from George Mason University and Georgia Institute of Technology detailed two different RowHammer attacks called OneFlip and ECC.fail, respectively.
While OneFlip revolves around triggering a single bit flip to alter Deep Neural Network (DNN) model weights and activate unintended behavior, ECC.fail is described as the first end-to-end RowHammer attack that's effective against DDR4 server machines with ECC memory.
"Unlike their PC counterparts, servers have extra protections against memory data corruptions (e.g., RowHammer or cosmic ray bit flips), in the form of error correcting codes," the researchers said. "These can detect bit flips in memory, and even potentially correct them. ECC.fail bypasses these protections by carefully inducing RowHammer bit flips at certain memory locations."
