StackWarp Side-Channel Weakness Undermines AMD SEV-SNP Confidential VMs
Researchers at CISPA Helmholtz Center for Information Security disclosed StackWarp (CVE-2025-29943), a microarchitectural weakness affecting AMD Zen CPUs that can undermine the integrity guarantees of AMD SEV-SNP “confidential VM” protections. The attack model assumes a malicious insider with host/hypervisor control who can run a parallel hyperthread and exploit a previously undocumented hypervisor-side control bit to manipulate the protected guest’s stack pointer behavior, particularly when Simultaneous Multithreading (SMT) is enabled.
Reported impacts include the ability to recover sensitive data from SEV-SNP guests—such as cryptographic private keys—and to enable follow-on compromise scenarios like bypassing OpenSSH password authentication and privilege escalation within the VM. AMD issued patches (made available in July 2025) and later published a security bulletin rating the issue low severity, but the disclosure highlights ongoing risk that confidential computing isolation can be weakened by CPU-level behaviors; organizations running SEV-SNP should prioritize applying AMD’s updates and review SMT-related exposure in multi-tenant or high-trust boundary environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
AMD confirms affected product scope and future embedded patches
AMD's guidance indicated the flaw affects Zen 1 through Zen 5 processors, including multiple EPYC and EPYC Embedded lines, and that additional AGESA patches for some EPYC Embedded products are planned for April 2026.
Researchers publish technical details and PoC for StackWarp
The disclosure included technical details on exploiting a previously undocumented hypervisor-side control bit and described impacts such as private key recovery, authentication bypass, privilege escalation, and kernel-level code execution; proof-of-concept exploit code was also published on GitHub.
CISPA researchers publicly disclose the StackWarp vulnerability
Researchers affiliated with the CISPA Helmholtz Center for Information Security disclosed StackWarp, a microarchitectural flaw in AMD Zen 1 through Zen 5 CPUs that can let a malicious host or hypervisor manipulate a protected guest VM's stack pointer and undermine SEV-SNP isolation.
AMD issues additional StackWarp microcode updates
In October 2025, AMD released further microcode updates for affected processors as part of its mitigation effort for CVE-2025-29943.
AMD releases initial StackWarp microcode and firmware patches
AMD released patches for StackWarp in July 2025, including microcode updates intended to mitigate the flaw affecting SEV-SNP confidential VMs when SMT is enabled.
AMD assigns CVE-2025-29943 to the StackWarp CPU flaw
AMD tracked the newly identified StackWarp vulnerability as CVE-2025-29943, describing it as an improper access control issue affecting SEV-SNP-protected virtual machines on Zen processors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
New StackWarp Hardware Flaw Breaks AMD SEV-SNP Protections on Zen 1-5 CPUs
thehackernews.com
Open sourceStackWarp vulnerability exposes AMD SEV-SNP virtual machines | SC Media
scworld.com
Open sourceFlipping one bit leaves AMD CPUs open to VM vuln • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
RMPocalypse Vulnerability Enables Full Compromise of AMD SEV-SNP Encrypted Virtual Machines
A critical vulnerability, identified as CVE-2025-0033 and dubbed RMPocalypse, has been discovered in AMD's Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) technology. This flaw allows attackers to bypass the core security guarantees of SEV-SNP, which is designed to protect the confidentiality and integrity of virtual machines (VMs) even in hostile environments. Researchers from ETH Zürich revealed that the vulnerability stems from incomplete protections in the initialization of the Reverse Map Paging (RMP) table, a key data structure that stores security metadata for all DRAM pages in the system. The RMP table, which maps system physical addresses to guest physical addresses, is only partially protected during VM startup, creating a window of opportunity for exploitation. By performing a single, carefully crafted 8-byte memory write to the RMP table, an attacker can corrupt its contents, undermining the isolation between VMs and the hypervisor. This attack vector enables adversaries with sufficient access to bypass SEV-SNP's hardware-enforced boundaries, potentially gaining full control over encrypted VMs. The implications are severe: attackers could access sensitive data, activate hidden debug functions, forge attestation checks, and even perform replay attacks by restoring previous VM states. AMD has acknowledged the issue and released firmware updates to address the vulnerability, urging customers to apply the patches promptly. The flaw highlights a fundamental challenge in confidential computing, where the security of the underlying mechanisms is as critical as the protections they provide. The vulnerability is particularly concerning for cloud service providers and enterprises relying on SEV-SNP for secure multi-tenant environments. Security experts recommend immediate patching and a review of VM isolation strategies in light of this disclosure. The RMPocalypse flaw demonstrates that even advanced hardware-based security features can be undermined by subtle implementation oversights. The research underscores the importance of rigorous security validation for all components involved in confidential computing. Organizations are advised to monitor for further advisories from AMD and to assess the potential exposure of their virtualized workloads. The incident serves as a reminder that attackers continue to seek and exploit weaknesses in foundational security technologies. The public disclosure of RMPocalypse has prompted renewed scrutiny of hardware-assisted virtualization security. The vulnerability's exploitation requires a high level of technical skill but poses a significant risk to environments where SEV-SNP is deployed. AMD's response includes not only patches but also updated guidance for secure deployment of SEV-SNP-enabled systems. The security community is closely watching for any signs of exploitation in the wild following the release of technical details. This event is expected to influence future designs of confidential computing architectures across the industry.
Mar 21, 2026
Speculative-Execution CPU Flaws Exposed Data Across Intel, AMD, and ARM Systems
Researchers disclosed the **Meltdown** and **Spectre** hardware flaws, showing that speculative execution in modern processors could let attackers read sensitive data across security boundaries on affected devices. Reuters reported that **Meltdown** primarily affected Intel processors by breaking memory isolation, while **Spectre** impacted Intel, AMD, and ARM chips by tricking applications into leaking secrets such as passwords and other protected data. CERT/CC later summarized the broader issue as cache side-channel attacks against CPU hardware using speculative execution, underscoring that the weakness was architectural rather than limited to a single product line. Major vendors and cloud providers moved to contain the fallout with software, firmware, and microcode mitigations, including Microsoft Azure protections for hosted customers and public advisories from manufacturers such as Huawei. Subsequent research showed the problem persisted beyond the initial disclosures: the **ZombieLoad** attacks demonstrated additional Intel data-leakage paths tied to speculative execution, and a later **TSX Asynchronous Abort (TAA)** variant affected some processors previously thought to be resistant. Intel issued microcode updates, but researchers and vendors warned that mitigations reduced rather than eliminated risk, that exploitation generally required local code execution, and that fully disabling the underlying CPU behavior would carry significant performance costs.
May 25, 2026
Xen warns AMD Zen 2 opcode cache flaw can enable guest-to-host escalation
Xen disclosed **Xen Security Advisory 490** for `CVE-2025-54518`, an x86 CPU opcode cache corruption flaw affecting Xen deployments on certain AMD processors. The issue is believed to impact **AMD Family 17h CPUs based on the Zen 2 microarchitecture**, and Xen said successful exploitation could let code running at any privilege level gain higher privileges, including **userspace-to-kernel** and **guest-to-host** escalation. The advisory says **all Xen versions** are affected when running on the vulnerable CPUs, while other AMD processors and CPUs from other vendors are not known to be impacted. Xen reported that **no mitigations are available** and directed users to apply released patches for `xen-unstable`, Xen `4.21.x` through `4.18.x`, and Xen `4.17.x`; the `4.17` branch also requires an unusual additional backported patch because the fix is closely coupled with an earlier change.
May 25, 2026