New VMScape Spectre-BTI Attack Targets Isolation Flaws in AMD and Intel CPUs

Cybersecurity researchers at ETH Zurich have disclosed a critical new Spectre-based attack called VMSCAPE that exploits incomplete branch predictor isolation in virtualized cloud environments.

The attack, tracked as CVE-2025-40300, affects multiple generations of AMD and Intel processors and enables malicious virtual machines to steal sensitive data from hypervisor processes.

Attack Methodology and Impact

VMSCAPE represents the first practical Spectre Branch Target Injection attack where a malicious guest VM can leak arbitrary memory from an unmodified hypervisor without requiring any code modifications.

The attack specifically targets the widely used KVM/QEMU virtualization stack, demonstrating how attackers can extract cryptographic keys and other sensitive infrastructure secrets.

On AMD Zen 4 processors, researchers achieved data exfiltration rates of 32 bytes per second, successfully extracting disk encryption and decryption keys within approximately 18 minutes.

The complete attack chain, including initial reconnaissance and secret location identification, requires about 1,092 seconds to execute fully.

The vulnerability impacts a broad range of modern processors, including all AMD Zen microarchitectures from Zen 1 through Zen 5, as well as Intel Coffee Lake CPUs.

The flaw stems from incomplete isolation of branch prediction state across virtualization boundaries, particularly between guest user processes and host user processes.

Researchers identified multiple attack primitives they termed “Virtualization-based Spectre-BTI” or vBTI, which enable cross-domain speculation attacks.

These primitives work despite existing hardware mitigations like Enhanced IBRS and Automatic IBRS being enabled by default.

The VMSCAPE attack overcomes significant technical challenges through several innovations.

Researchers developed the first reliable cache eviction techniques for AMD Zen 4 and Zen 5 processors, enabling them to extend speculation windows necessary for successful data extraction.

The attack exploits Memory Mapped I/O operations to gain register control and uses sophisticated Address Space Layout Randomization bypass techniques to locate target memory regions.

By leveraging shared memory between guest and host for FLUSH+RELOAD side-channel attacks, VMSCAPE achieves reliable data leakage across the virtualization boundary.

Following responsible disclosure to AMD and Intel PSIRT in June 2025, Linux kernel maintainers have implemented mitigation patches based on Indirect Branch Prediction Barrier on VM exits.

The patches introduce minimal performance overhead in typical cloud scenarios, with only 1% impact on compute-intensive workloads and up to 51% overhead for I/O-heavy operations.

Cloud providers should immediately apply the available kernel patches and consider additional hardening measures.

The vulnerability poses particular risks in multi-tenant cloud environments where customer VMs could potentially access infrastructure secrets or cryptographic material from hypervisor processes.

This discovery highlights ongoing challenges in securing complex virtualized environments against sophisticated microarchitectural attacks targeting speculative execution mechanisms.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!