Researchers from ETH Zurich and Google have discovered a new variant of the RowHammer attack, dubbed Phoenix. It bypasses even modern DDR5 memory protection mechanisms and allows you to elevate privileges to root on a regular system in less than two minutes.
Phoenix (CVE-2025-6202, CVSS 7.1) shows that even DDR5 with built-in ECC and Target Row Refresh (TRR) is not secure. The attack is based on multiple accesses to a specific DRAM row, which causes bit flips in neighboring memory cells. This can lead to data corruption or controlled data swapping.
In tests, Phoenix was able to bypass TRR on all 15 tested SK Hynix modules manufactured between 2021 and 2024. As a result, the attack allowed:
to steal RSA-2048 keys of the virtual machine and break SSH authentication,
to use sudo to escalate rights to root.
Thus, Phoenix became the first confirmed RowHammer exploit for DDR5 systems in a working configuration. The RowHammer vulnerability has been known since 2014 and has only intensified over time, as DRAM density is constantly increasing. A 2020 study by ETH Zürich proved that the smaller the process technology, the fewer cycles are required for a bit flip.
Previous attacks TRRespass, SMASH, Half-Double and Blacksmith have already shown bypassing basic protections. Recent work (OneFlip, ECC.fail) has also proven that even server ECC memory can be vulnerable. Phoenix puts DDR5 in the same range of risks.
Phoenix demonstrates that DDR5 does not have absolute protection against RowHammer. Since DRAM is not upgradable, the vulnerability will remain with users for years. Researchers recommend tripling the refresh rate, which stopped the attack in tests. But for enterprises, this means increased costs and the need for new protection methods.
