A new Rowhammer attack variant named Phoenix can bypass the latest protections in modern DDR5 memory chips, researchers have revealed.
The attack is the first to demonstrate a practical privilege escalation exploit on a commodity system equipped with DDR5 RAM, undermining the assumption that these newer memory modules were immune to such threats.
Rowhammer is a long-standing hardware vulnerability where repeatedly accessing (or “hammering”) rows of memory cells in a DRAM chip can cause electrical interference, leading to bit flips in adjacent, unaccessed rows.
While numerous attacks have targeted older DDR3 and DDR4 memory, DDR5 was designed with more sophisticated in-DRAM Target Row Refresh (TRR) mechanisms to prevent this.
These mitigations were believed to be effective, as previous attempts to trigger Rowhammer bit flips on DDR5 devices had largely failed.
Self-Correcting Synchronization
Researchers from ETH Zurich and Google discovered that the TRR mechanisms in DDR5 chips from vendor SK Hynix operate over significantly longer and more complex patterns than those in DDR4.
To bypass these defenses, an attack must remain synchronized with thousands of periodic refresh commands issued by the memory controller.
The research team found that existing synchronization techniques were not reliable enough for this task, as they would frequently miss refresh commands and lose alignment, rendering the attack ineffective.
The key innovation behind the Phoenix attack is a technique the researchers call self-correcting synchronization. Instead of trying to avoid missing refresh commands, Phoenix is designed to detect when a refresh has been missed and automatically realign its hammering pattern accordingly.
hammering pattern
This allows the attack to maintain synchronization for the extended periods required to accumulate enough “hammers” to cause bit flips, even on a standard commodity computer with default settings.
By reverse-engineering the behavior of the TRR mechanisms, the team developed custom hammering patterns that exploit “blind spots” in the defense, hammering specific memory locations in lightly monitored refresh intervals.
The Phoenix attack proved highly effective in tests. It successfully triggered bit flips on all 15 commercial DDR5 memory modules from SK Hynix that were evaluated, which were manufactured between 2021 and 2024.
Using these bit flips, the researchers developed the first end-to-end Rowhammer exploit for DDR5, allowing them to gain the highest-level (root) privileges on a test system in as little as 109 seconds. The vulnerability has been assigned the identifier CVE-2025-6202.
The findings were responsibly disclosed to SK Hynix, CPU vendors, and major cloud providers in June 2025. While increasing the memory refresh rate by a factor of three was shown to mitigate the attack, it incurred a significant performance overhead of 8.4%.
The researchers argue that Phoenix demonstrates the need for manufacturers to implement principled, verifiable security measures rather than relying on proprietary, obscure mitigations that can be bypassed with enough effort.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free