Flipping one bit leaves AMD CPUs open to VM vuln

Steven

Flipping one bit leaves AMD CPUs open to VM vuln

Summary

Researchers at the CISPA Helmholtz Center for Information Security disclosed “StackWarp”, a microarchitectural vulnerability affecting AMD Zen CPUs that undermines the integrity of AMD SEV-SNP confidential virtual machines when Simultaneous Multithreading (SMT) is enabled. By toggling a previously undocumented control bit (bit 19) in core-scoped MSR 0xC0011029, an attacker on the host — or on a sibling hyperthread — can desynchronise the CPU’s stack engine and manipulate a guest VM’s stack pointer. The team demonstrated recovery of RSA-2048 keys, bypassing OpenSSH and sudo authentication, and achieving ring 0 execution by corrupting kernel stacks. AMD was notified and released mitigations in July 2025 (CVE-2025-29943); OEM firmware updates may also be required.

Key Points

  • Vulnerability name: StackWarp (CVE-2025-29943) — affects AMD Zen CPUs with SMT enabled and SEV-SNP guests.
  • Root cause: abuse of the CPU frontend “stack engine” via an undocumented MSR bit (bit 19 of MSR 0xC0011029) that breaks stack-pointer synchronisation between sibling threads.
  • Impact: recovery of private keys (RSA-2048 demonstrated), bypass of OpenSSH and sudo authentication, and potential kernel (ring 0) code execution.
  • Mitigation: AMD released patching in July 2025 and published security bulletin SB-3027; OEM firmware/BIOS updates and vendor rollouts may still be required.
  • Proof-of-concept: exploit code and paper published by CISPA — paper appears in USENIX Security 2026 and PoC on GitHub.

Why should I read this?

Short and blunt: if you run cloud instances, confidential VMs or any SEV-SNP workloads on AMD hardware with SMT turned on, this is relevant — and urgent. The exploit needs just one undocumented bit flip to throw the stack engine out of sync and let a hostile sibling thread mess with a protected VM. Patches exist, but firmware rollouts lag, so it’s worth checking systems now.

Context and relevance

Confidential VMs (CVMs) like AMD SEV-SNP and Intel TDX are marketed to provide strong hardware isolation between guest VMs and the hypervisor. StackWarp is another reminder that microarchitectural features intended to speed CPUs can become attack surfaces. The issue is especially troubling for cloud providers and organisations relying on on-host isolation guarantees: an attacker with control of the host or a collocated workload on the same physical core can subvert VM integrity. This feeds into broader trends in which SMT and shared frontend/backend resources are repeatedly targeted by side-channel and microarchitectural exploits.

Actionable steps: verify that AMD patches (July 2025) are applied, check for OEM/BIOS updates from server vendors, consider disabling SMT on hosts running sensitive SEV-SNP guests until firmware is confirmed patched, and monitor vendor security bulletins and the CISPA GitHub PoC for indicators and mitigations.

Source

Source: https://www.theregister.com/2026/01/15/stackwarp_bug_amd_cpus/