SK Hynix DDR5 DIMMs Susceptible to "Phoenix" Rowhammer Attack, On-Die ECC Also Compromised

New Phoenix Rowhammer Attack Bypasses DDR5 On-Die ECC Protections

Recent research from ETH Zurich and Google has revealed a significant vulnerability in SK Hynix DDR5 memory modules, exposing them to a new Rowhammer attack variant named Phoenix (CVE-2025-6202). Notably, this exploit remains effective even against modules equipped with on-die error-correcting code (ECC), a feature designed to enhance memory reliability. The Phoenix attack can be executed in just 109 seconds, underscoring its practicality as a real-world threat.

Understanding the Phoenix Rowhammer Variant

The research team reverse engineered the built-in DRAM mitigation known as Target Row Refresh (TRR), which is intended to defend against traditional Rowhammer exploits. Their analysis uncovered a critical weakness in the refresh-sampling logic: the sampling period repeats every 128 tREFI intervals, and within each cycle, the first two of four sub-intervals are only lightly sampled. This oversight creates a window of opportunity for attackers.

Leveraging this blind spot, the researchers developed two innovative hammering patterns: a shorter 128-tREFI pattern and a much longer 2608-tREFI pattern. They also introduced a self-correcting refresh synchronization technique, allowing the attack to realign itself whenever a refresh is missed. This advancement enables Phoenix to maintain precise alignment across thousands of refresh intervals, a feat that previous methods like Zenhammer could not achieve reliably.

Impact on SK Hynix DDR5 Modules

The team tested 15 SK Hynix DDR5 modules manufactured between late 2021 and late 2024. Every module exhibited bit flips under at least one of the two hammering patterns, with the 128-tREFI pattern proving approximately 2.62 times more effective on average. The researchers observed thousands of bit flips per DIMM, which they were able to exploit for practical attacks, including:

Corrupting page tables to gain arbitrary read/write access
Extracting RSA-2048 private keys from co-located virtual machines
Escalating local privileges by corrupting critical binaries such as sudo

To increase the likelihood of targeting a vulnerable refresh offset—only 2 out of 128 offsets (1.56%) are susceptible—the researchers ran four shifted pattern instances in parallel across each of the four memory banks. This approach boosted the probability of a successful attack to roughly 25%.

Mitigation Strategies and Industry Response

As a temporary mitigation, the researchers tested tripling the DRAM refresh rate (with tREFI intervals of approximately 1.3 microseconds), which successfully prevented Phoenix-induced bit flips in their test environment. However, this solution incurs a performance overhead of up to 8.4% on SPEC CPU2017 benchmarks. The team also highlighted the importance of BIOS and firmware updates as immediate countermeasures.

Following responsible disclosure, the researchers coordinated with SK Hynix, CPU manufacturers, and major cloud providers to address the vulnerability. This collaboration led to mitigation efforts, including a BIOS update for AMD systems announced during the embargo period. To support the community, the team released diagnostic artifacts and a proof-of-concept tool on GitHub, enabling administrators to assess the vulnerability of their own DDR5 modules. The published code is intended strictly for diagnostic purposes and not for exploitation.

Maya Stein Maya is a tech journalist who specializes in PC hardware and semiconductor industry trends. When she’s not writing, she’s building custom PCs and testing the latest peripherals.