Swiss academic researchers have disclosed a new variant of Rowhammer attacks that can bypass the latest protection mechanisms on SK Hynix DDR5 memory, posing a heightened risk to a wide range of servers and workstations. The attack, dubbed Phoenix, targets memory modules by exploiting gaps in refresh-based defenses to flip bits and escalate privileges in minutes on systems using default settings.
Rowhammer work relies on repeatedly accessing specific memory rows at high speeds to induce electrical interference, which can flip bits in neighboring cells. One common defense against such flips is Target Row Refresh (TRR), a mitigation that issues extra refresh commands when suspicious access patterns are detected. Phoenix, however, circumvents these protections by exploiting refresh intervals that TRR does not sample effectively.
The research team, comprising ETH Zurich’s Computer Security Group (COMSEC) and Google, tested Phoenix on DDR5 modules from SK Hynix—a major player with about a third of the market—and found that a range of protections could be defeated. They discovered that certain refresh intervals were not being sampled by TRR, allowing deliberate patterns of memory hammering to induce bit flips. The researchers also developed a self-correcting synchronization method to track and align with thousands of refresh operations, including scenarios where a refresh was missed.
In practical demonstrations, Phoenix could flip bits on all 15 DDR5 memory chips in the test pool. The team reported that it took under two minutes to obtain a shell with root privileges on a commodity DDR5 system configured with default settings. Beyond shell access, the researchers explored broader exploitation scenarios, including targeting page-table entries to obtain arbitrary memory access, breaking SSH authentication by altering RSA-2048 keys, and escalating privileges by manipulating the sudo binary on affected chips. In one assessment, 73% of DIMMs were exposed to the possibility of SSH compromise, and 33% allowed local privilege escalation to root.
Mitigations remain challenging. The researchers note that although a tripling of the DRAM refresh interval (tREFI) can stop Phoenix, such a change risks inducing data errors and system instability. The work has been formalized as CVE-2025-6202 and is described as high severity, affecting all DIMM RAM modules produced between January 2021 and December 2024.
A technical paper detailing the findings, titled Phoenix: Rowhammer Attacks on DDR5 with Self-Correcting Synchronization, has been published and will be presented at the IEEE Symposium on Security and Privacy next year. For researchers and practitioners seeking to reproduce or study the attack methodology, a companion repository is available here.