New Vulnerability Discovered in Virtualization: The VMScape Attack
A team of researchers from ETH Zurich has unveiled a significant vulnerability affecting virtualization isolation, which allows for the leakage of sensitive memory data and cryptographic keys. This research highlights potential security risks in cloud environments that utilize virtual machines (VMs) for workload isolation.
Understanding the Vulnerability
The researchers identified critical weaknesses in the way domain isolation functions within virtualized systems. Their findings suggest that the boundaries between host and guest operations in virtual machines are not as robust as previously assumed. This inadequacy may lead to unauthorized exposure of sensitive information across various microarchitectures.
Their exploit, dubbed VMScape, is a proof-of-concept (PoC) targeting cloud infrastructures. This Spectre-based branch target injection method specifically affects all AMD Zen CPUs and certain older Intel CPUs, challenging the fundamental security architecture of virtualized environments.
The Mechanics of the VMScape Attack
Virtual machines serve as a primary mechanism for securely isolating processes in the cloud. However, Spectre attacks like Spectre-BTI can undermine this isolation by exploiting the shared branch predictor state within CPUs. The researchers found that while CPU manufacturers have taken steps to mitigate potential exploits through enhancements in speculative execution, some vulnerabilities remain unaddressed.
Their analysis uncovered new attack primitives classified as Virtualization-Based Spectre-BTI (vBTI), which can potentially allow attackers to target the host from a VM or vice versa. VMScape represents the first instance in which a malicious user within a guest VM can leak sensitive information from the hypervisor without any code changes or modifications to default configurations.
Demonstrating the Attack
The research team demonstrated the effectiveness of VMScape by targeting the Kernel Virtual Machine (KVM) with QEMU as the hypervisor. Their tests revealed that the attack could extract memory from the QEMU process at a speed of 32 bytes per second on AMD Zen 4 processors. Over a duration of 1,092 seconds, they successfully located and leaked cryptographic keys used for disk encryption, showcasing the potential risks associated with this vulnerability.
Implications for Cloud Security
The implications of the VMScape attack are significant, particularly for virtualized environments. While the researchers noted that the attack only affects systems running untrusted code in local VMs—a situation not present in all environments—they emphasized that many cloud infrastructures likely contain hardware susceptible to these vulnerabilities.
Although Intel has made efforts to enhance isolation through the implementation of extended Indirect Branch Restricted Speculation (eIBRS), the researchers warned that existing gaps could expose even the latest Intel CPUs to potential virtualization Branch History Injection (vBHI) attacks.
Addressing the Threat
To mitigate the risks posed by the VMScape attack, implementing an Indirect Branch Prediction Barrier (IBPB) is crucial. The researchers indicated that an IBPB should be deployed before any VM exits to ensure robust protection when interacting with the hypervisor.
The findings were responsibly disclosed in June 2025, prompting timely patches for VMScape, which have been assigned the identifier CVE-2025-40300 with a CVSS score of 6.5. Major Linux distributions have already released updates to combat this vulnerability.
Conclusion
The ETH Zurich research team remains optimistic that AMD and Intel, along with other hypervisor vendors, will respond appropriately to the vulnerabilities outlined in their findings. Users of virtualization technologies such as VMware and Hyper-V are encouraged to ensure they are running the latest software versions to protect against potential exploits stemming from VMScape and related vulnerabilities. The landscape of cloud security continues to evolve, and awareness of these threats is key to safeguarding sensitive information.
