Researchers from the CISPA Helmholtz Center for Information Security have uncovered StackWarp, a hardware vulnerability in AMD Zen 1 through Zen 5 processors that allows attackers to compromise confidential virtual machines. By exploiting a synchronization failure in the CPU stack engine, malicious hosts can manipulate guest VM stack pointers to steal encryption keys or achieve remote code execution.

A team of researchers from the CISPA Helmholtz Center for Information Security in Germany recently disclosed a significant hardware vulnerability affecting a wide range of AMD processors. Known as StackWarp, this flaw impacts Zen 1 through Zen 5 architectures and specifically targets the security of confidential virtual machines. The vulnerability stems from an architectural issue where the CPU frontend fails to properly synchronize stack pointer updates, creating a gap that can be exploited through software-based methods.

By taking advantage of this synchronization failure, a malicious actor operating a VM host can manipulate the stack pointer of a guest virtual machine. This level of control allows the attacker to hijack data and control flows, leading to severe consequences such as privilege escalation and remote code execution within the protected environment. The researchers proved the gravity of the flaw by demonstrating its ability to reconstruct RSA-2048 private keys, bypass Sudo password prompts, and circumvent OpenSSH authentication.

While the technical requirements for such an attack are high, requiring privileged control over the host server, the implications for cloud security are profound. These attacks are most likely to originate from rogue employees at a cloud service provider or sophisticated threat actors who have successfully compromised the provider’s infrastructure. Even though the likelihood of a widespread attack remains relatively small, StackWarp proves that AMD’s SEV-SNP encryption can be bypassed to compromise the integrity of a system without the attacker ever needing to view decrypted memory.

The findings highlight a critical breach in the promise of execution integrity that confidential computing aims to provide. The researchers noted that when these defenses are broken, confidential passwords can be stolen, and the isolation between the host and guest VMs can no longer be guaranteed. This effectively allows an attacker to impersonate legitimate users or maintain persistent control over a system that was previously thought to be isolated and secure from the hardware level up.

AMD has acknowledged the vulnerability, which is tracked as CVE-2025-29943, and released an advisory regarding the matter. Although the chip manufacturer assigned the flaw a low severity rating, they confirmed that patches for impacted EPYC server products have been available since July 2025. Detailed technical information, including a research paper and demonstration videos, has been made available on a dedicated website hosted by the CISPA team to help the security community understand and mitigate the risks.

Source: StackWarp Attack Threatens Confidential Virtual Machines on AMD Processors