- ETH Zurich researchers found a new Spectre-BTI attack called VMSCAPE that lets a VM steal host data
- It affects cloud setups using KVM/QEMU on AMD and Intel CPUs, bypassing existing defenses
- They propose flushing the branch predictor on VMEXIT as a low-cost fix
If Ghostbusters taught us anything, it’s that spectres are notoriously difficult to get rid of.
Security researchers from the Swiss public university, ETH Zurich, recently discovered a new Spectre-BTI (Branch Target Injection) attack that allows a malicious virtual machine (VM) to leak sensitive data from the host system, without modifying host software.
The research team – Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi – conducted a systematic analysis of branch predictor isolation, targeting environments using KVM/QEMU virtualization on AMD Zen 4 and Zen 5 CPUs.
Fixing the flaw
In early June, they developed an exploit and named it VMSCAPE.
According to the research paper published earlier this week, VMSCAPE is proof that default mitigations (hardware and software defenses that were previously considered sufficient for speculative execution attacks such as Spectre) are not enough to prevent speculative execution attacks across VM boundaries, and that secrets like disk encryption keys can be leaked in real-world cloud setups.
All cloud providers running virtualized workloads on vulnerable CPUs using KVM/QEMU are affected by the bug, the researchers further explained, which includes AMD Zen 1-5, and Intel’s Coffee Lake chips. KVM/QEMU is a powerful virtualization stack commonly used in Linux-based cloud environments.
The bug is now tracked as CVE-2025-40300, but the severity score has not yet been determined.
Chipmakers are already on the move, as well. An AMD spokesperson told The Register that the company is preparing a security brief, as well as a software fix.
An Intel representative told the same publication that existing mitigations can be used to address this flaw. “Linux mitigations are expected to be available on the VMSCAPE public disclosure date, and a CVE for this issue will be assigned by Linux,” they added.
The paper’s authors propose flushing the CPU’s branch predictor using IBPB on VMEXIT as a mitigation for VMSCAPE, as this prevents a malicious guest VM from influencing speculative execution paths in the host. They also stressed that the tests showed negligible performance overhead, and that the fix was practical for deployment.
Via The Register