A group of academic researchers from the ETH Zurich university have devised a new attack that breaks existing virtualization isolation to leak arbitrary memory and expose cryptographic keys.
The researchers discovered weaknesses in domain isolation in virtualized environments, proving that host–guest boundaries are not sufficiently isolated, thus leading to sensitive information leaks on various microarchitectures.
Their proof-of-concept (PoC) exploit, called VMScape (PDF), is a Spectre branch target injection (Spectre-BTI) attack targeting cloud environments, and can be used against all AMD Zen CPUs, as well as older Intel CPUs.
Virtual machines (VMs) represent the main mechanism for securely isolating workloads in the cloud, but Spectre attacks, such as Spectre-BTI, can compromise this isolation by targeting the shared branch predictor state within the CPU.
To mitigate the attack surface, CPU vendors have extended speculative execution attack mitigations to the branch predictor state, but gaps in those mitigations enable attack scenarios such as VMScape, the academics say.
The researchers’ analysis of these mechanisms, which do not consider the privilege levels the hypervisor and VMs have, revealed new Virtualization-based Spectre-BTI (vBTI) attack primitives that enable new Spectre-BTI attacks that target the host from the VM, or the VM from the host.
To demonstrate the vBTI primitives, the academics devised VMScape, which they describe as “the first Spectre-based end-to-end exploit in which a malicious guest user can leak arbitrary, sensitive information from the hypervisor in the host domain, without requiring any code modifications and in default configuration.”
The attack targets Kernel Virtual Machine (KVM)/QEMU as the hypervisor, focusing on QEMU as the hypervisor’s user-space component on the host.
“VMScape can leak the memory of the QEMU process at a rate of 32 B/s on AMD Zen 4. We use VMScape to find the location of secret data and leak it, all within 1092 s, extracting the cryptographic key used for disk encryption/decryption as an example,” the researchers note.
While branch target buffer (BTB) entries lack the necessary isolation on AMD Zen CPUs and older Intel CPUs, Intel has implemented eIBRS to isolate the BTB contents between the host and guest. However, gaps in this mitigation could render recent Intel CPUs vulnerable to virtualization Branch History Injection (vBHI) primitives.
The academics explain that the VMScape attack only affects virtualized environments, and that systems that do not run untrusted code in local VMs are not exploitable. However, they warn that existing cloud infrastructure likely contains vulnerable hardware.
Mitigations against the attack involve the use of an Indirect Branch Prediction Barrier (IBPB), the academics say. An IBPB, they note, is necessary on each VMexit before entering the hypervisor in user-space.
The researchers responsibly disclosed their findings in June 2025, and patches against VMScape, tracked as CVE-2025-40300 (CVSS score of 6.5), have been rolled out for major Linux distributions. Simply updating to the latest releases should address the issue.
“For VMware, Hyper-V, or other non-KVM hypervisors, we trust that AMD and Intel have responsibly disclosed the vulnerabilities and that proper mitigations have been implemented by the respective vendors,” the researchers noted.
Related: New SLAP and FLOP CPU Attacks Expose Data From Apple Computers, Phones
Related: In Other News: Microsoft Finds AMD CPU Flaws, ZuRu macOS Malware Evolves, DoNot APT Targets Govs
Related: Chipmaker Patch Tuesday: Intel, AMD, Arm Respond to New CPU Attacks
