New VMScape attack breaks guest-host isolation on AMD, Intel CPUs
A new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs.
The attack breaks the isolation between VMs and the cloud hypervisor, bypassing existing Spectre mitigations and threatening to leak sensitive data by leveraging speculative execution.
The researchers highlight that VMScape does not require compromising the host and works on unmodified virtualization software with default mitigations enabled on the hardware.
They note that a threat actor could deploy such an attack against a cloud provider by simply renting a virtual machine to leak secrets from the hypervisor or other VMs.
VMScape was developed by a team of researchers at ETH Zurich public university in Switzerland, who discovered that it affects all AMD processors from Zen 1 to Zen 5, as well as Intel’s “Coffee Lake” CPUs. The newer, “Raptor Cove” and “Gracemont” are not impacted.
Leaking secrets from QEMU
Modern CPUs protect against speculative attacks by extending isolation to branch prediction units (BPU) between the guest and host, but the researchers discovered that this isolation is incomplete.
A guest user can influence indirect branch prediction in a host user process due to shared BPU structures like the BTB (Branch Target Buffer), IBP/ITA, and BHB (Branch History Buffer).
The attack targets QEMU, the user-mode hypervisor component, which maps guest memory into its address space, enabling the use of a ‘FLUSH+RELOAD’ cache side channel.
ETH Zurich researchers used a Spectre-BTI (Branch Target Injection) attack to misguide a target indirect branch in QEMU so it speculatively executes a disclosure gadget that leaks secret data into the shared reload buffer.
To extend the speculative execution window, the attacker evicts relevant cache entries from inside the guest by building eviction sets targeting the Last-Level Cache (LLC) on AMD Zen 4 CPUs.
ASLR (Address Space Layout Randomization), a security feature that randomizes the memory addresses where data is loaded in a process, is defeated by probing for branch collisions to locate the victim gadget and brute-forcing the virtual address of the reload buffer.
ETH Zurich researchers showed that VMScape leaks arbitrary memory data from QEMU at a rate of 32 bytes/second, with a byte-level accuracy of 98.7%, and an overall exploit success rate of 43%.
At this rate, a 4KB secret, such as a disk encryption key, could be leaked in 128 seconds. The total end-to-end time, including the ASLR bypassing process, would be 772 seconds, or just under 13 minutes.
Impact and response
Virtualization is the backbone of cloud computing, and if one guest machine can read memory from the host, it threatens multi-tenant cloud security.
However, it is essential to emphasize that attacks like VMScape require advanced knowledge, deep technical expertise, and sustained execution time. Because of this, such attacks, even if possible, do not represent a threat to the larger userbase.
The ETH Zurich team reported their findings to AMD and Intel on June 7, and the issue received the identifier CVE-2025-40300. AMD has released a security bulletin about the problem.
Linux kernel developers released patches that mitigate VMScape by adding an IBPB (Indirect Branch Prediction Barrier) on VMEXIT, effectively flushing the BPU when switching from guest to host. The researchers say that this mitigation has minimal performance impact in common workloads.
