StackWarp Side-Channel Weakness Undermines AMD SEV-SNP Confidential VMs
Researchers at CISPA Helmholtz Center for Information Security disclosed StackWarp (CVE-2025-29943), a microarchitectural weakness affecting AMD Zen CPUs that can undermine the integrity guarantees of AMD SEV-SNP “confidential VM” protections. The attack model assumes a malicious insider with host/hypervisor control who can run a parallel hyperthread and exploit a previously undocumented hypervisor-side control bit to manipulate the protected guest’s stack pointer behavior, particularly when Simultaneous Multithreading (SMT) is enabled.
Reported impacts include the ability to recover sensitive data from SEV-SNP guests—such as cryptographic private keys—and to enable follow-on compromise scenarios like bypassing OpenSSH password authentication and privilege escalation within the VM. AMD issued patches (made available in July 2025) and later published a security bulletin rating the issue low severity, but the disclosure highlights ongoing risk that confidential computing isolation can be weakened by CPU-level behaviors; organizations running SEV-SNP should prioritize applying AMD’s updates and review SMT-related exposure in multi-tenant or high-trust boundary environments.
Timeline
Jan 19, 2026
AMD confirms affected product scope and future embedded patches
AMD's guidance indicated the flaw affects Zen 1 through Zen 5 processors, including multiple EPYC and EPYC Embedded lines, and that additional AGESA patches for some EPYC Embedded products are planned for April 2026.
Jan 15, 2026
Researchers publish technical details and PoC for StackWarp
The disclosure included technical details on exploiting a previously undocumented hypervisor-side control bit and described impacts such as private key recovery, authentication bypass, privilege escalation, and kernel-level code execution; proof-of-concept exploit code was also published on GitHub.
Jan 15, 2026
CISPA researchers publicly disclose the StackWarp vulnerability
Researchers affiliated with the CISPA Helmholtz Center for Information Security disclosed StackWarp, a microarchitectural flaw in AMD Zen 1 through Zen 5 CPUs that can let a malicious host or hypervisor manipulate a protected guest VM's stack pointer and undermine SEV-SNP isolation.
Oct 1, 2025
AMD issues additional StackWarp microcode updates
In October 2025, AMD released further microcode updates for affected processors as part of its mitigation effort for CVE-2025-29943.
Jul 1, 2025
AMD releases initial StackWarp microcode and firmware patches
AMD released patches for StackWarp in July 2025, including microcode updates intended to mitigate the flaw affecting SEV-SNP confidential VMs when SMT is enabled.
Jul 1, 2025
AMD assigns CVE-2025-29943 to the StackWarp CPU flaw
AMD tracked the newly identified StackWarp vulnerability as CVE-2025-29943, describing it as an improper access control issue affecting SEV-SNP-protected virtual machines on Zen processors.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
RMPocalypse Vulnerability Enables Full Compromise of AMD SEV-SNP Encrypted Virtual Machines
A critical vulnerability, identified as CVE-2025-0033 and dubbed RMPocalypse, has been discovered in AMD's Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) technology. This flaw allows attackers to bypass the core security guarantees of SEV-SNP, which is designed to protect the confidentiality and integrity of virtual machines (VMs) even in hostile environments. Researchers from ETH Zürich revealed that the vulnerability stems from incomplete protections in the initialization of the Reverse Map Paging (RMP) table, a key data structure that stores security metadata for all DRAM pages in the system. The RMP table, which maps system physical addresses to guest physical addresses, is only partially protected during VM startup, creating a window of opportunity for exploitation. By performing a single, carefully crafted 8-byte memory write to the RMP table, an attacker can corrupt its contents, undermining the isolation between VMs and the hypervisor. This attack vector enables adversaries with sufficient access to bypass SEV-SNP's hardware-enforced boundaries, potentially gaining full control over encrypted VMs. The implications are severe: attackers could access sensitive data, activate hidden debug functions, forge attestation checks, and even perform replay attacks by restoring previous VM states. AMD has acknowledged the issue and released firmware updates to address the vulnerability, urging customers to apply the patches promptly. The flaw highlights a fundamental challenge in confidential computing, where the security of the underlying mechanisms is as critical as the protections they provide. The vulnerability is particularly concerning for cloud service providers and enterprises relying on SEV-SNP for secure multi-tenant environments. Security experts recommend immediate patching and a review of VM isolation strategies in light of this disclosure. The RMPocalypse flaw demonstrates that even advanced hardware-based security features can be undermined by subtle implementation oversights. The research underscores the importance of rigorous security validation for all components involved in confidential computing. Organizations are advised to monitor for further advisories from AMD and to assess the potential exposure of their virtualized workloads. The incident serves as a reminder that attackers continue to seek and exploit weaknesses in foundational security technologies. The public disclosure of RMPocalypse has prompted renewed scrutiny of hardware-assisted virtualization security. The vulnerability's exploitation requires a high level of technical skill but poses a significant risk to environments where SEV-SNP is deployed. AMD's response includes not only patches but also updated guidance for secure deployment of SEV-SNP-enabled systems. The security community is closely watching for any signs of exploitation in the wild following the release of technical details. This event is expected to influence future designs of confidential computing architectures across the industry.
1 months ago
Xen Patches Cross-Guest Data Leak on AMD Zen1 CPUs
Xen disclosed **XSA-488**, a transient execution vulnerability named **Floating Point Divider State Sampling** that affects x86 deployments running on vulnerable **AMD Fam17h (Zen1)** processors. The flaw was identified by researchers from the **CISPA Helmholtz Center for Information Security**, and Xen said an attacker may be able to infer data from other execution contexts, including **other guest VMs**, creating a cross-tenant confidentiality risk for virtualized environments. According to the advisory, **all Xen versions** are affected when deployed on the impacted CPU family. Xen said **no mitigations are currently available**, but released fixes for `xen-unstable` and the supported **4.20/4.19, 4.18, and 4.17** branches, urging operators on affected hardware to apply the relevant patches to reduce exposure.
2 days ago
AMD Zen 5 RDSEED Vulnerability Weakens Cryptographic Security
AMD has confirmed a high-severity vulnerability in the RDSEED instruction of its Zen 5 architecture CPUs, including Epyc 9005, Ryzen 9000, and Threadripper 9000 series. The flaw, tracked as CVE-2025-62626, allows the RDSEED function to return a value of 0 as a valid random number in approximately 10% of cases, potentially undermining the integrity of cryptographic keys and other security operations that rely on strong randomness. The issue was discovered by a Meta engineer and publicly disclosed via a Linux kernel mailing list, raising concerns about the predictability of cryptographic operations on affected systems. AMD has responded by releasing microcode patches for some affected processors, such as the Epyc 9005 series, and is working on additional fixes for other impacted models. As a temporary mitigation, users are advised to use the unaffected 64-bit RDSEED variant where possible or disable the RDSEED instruction via boot parameters. The vulnerability requires local privileges to exploit, meaning an attacker would already need significant access to the system. Linux kernel updates have also attempted to address the issue, though some users have reported compatibility problems with certain distributions following these changes.
1 months ago