Virtual-machine escape – in a Spectre v2 attack

A team of researchers at the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has published a research paper demonstrating how a Spectre v2 attack can be used for a sandbox escape in a virtualized environment. With access to only a single isolated virtual machine, the researchers were able to steal valuable data normally accessible only to the server administrator. Servers based on AMD CPUs (including AMD’s newest – with Zen 5 architecture) or Intel’s Coffee Lake are susceptible to the attack.

The danger of Spectre attacks for virtual environments

We regularly write about CPU vulnerabilities that employ speculative execution, where standard hardware features are exploited to steal secrets. You can read our previous posts on this subject, which describe the general principles of these attacks in detail, here, here, and here.

Although this type of vulnerability was first discovered back in 2018, up until this paper researchers haven’t demonstrated a single realistic attack. All their efforts have culminated in the notion that, theoretically, a sophisticated and targeted Spectre-like attack is feasible. Furthermore, in most of these papers, the researchers restricted themselves to the most basic attack scenario: they’d take a computer, install malware on it, and then use the CPU hardware vulnerability to steal secrets. The drawback of this approach is that if an attacker successfully installs malware on a PC, they can steal data in numerous other, significantly simpler methods. Because of this, Spectre and similar attacks are unlikely to ever pose a threat to end-user devices. However, when it comes to cloud environments, one shouldn’t dismiss Spectre.

Imagine a provider that rents virtual servers to organizations or individuals. Each client is assigned their own virtual machine, which allows them to run any software they want. Other clients’ virtual systems can be running on the same server. Separating data-access privileges is crucial in this situation. You must prevent an attacker who has gained access to one virtual machine from reading the confidential data of an adjacent client, or compromising the provider’s infrastructure by gaining access to the host’s data. It is precisely in this scenario that Spectre attacks start appearing as a significantly more perilous threat.

VMScape: a practical look at a Spectre v2 attack

In previous research papers on the feasibility of the Spectre attack, researchers didn’t delve into a realistic attack scenario. For an academic paper, this is normal. A theoretical proof of concept for a data leak is typically enough to get CPU makers and software developers to beef up their defenses and develop countermeasures.

The authors of the new paper from ETH Zurich directly address this gap, pointing out that previously examined scenarios for attacks on virtualized environments – such as those in this paper, also by ETH Zurich – made an extremely broad assumption: that the attackers had already managed to install malware on the host. Just like with attacks on regular desktop computers, this doesn’t make much practical sense. If the server is already compromised, the damage is already done.

The new attack proposed in their paper – dubbed VMScape – uses the same branch target injection mechanism as the one found in all attacks since Spectre v2. We’ve talked about it several times before, but here’s a quick summary.

Branch target injection is a way to train a CPU’s branch prediction system, which speeds up programs by using speculative execution. This means the CPU tries to run the next set of commands before it even knows the results of the previous computations. If it guesses the right direction (branch) the software will take, the performance significantly increases. If it guesses wrong, the results are simply discarded.

Branch target injection is an attack during which an attacker can trick the CPU into accessing secret data and move it into the cache during speculative execution. The attacker then retrieves this data indirectly through a side channel.

The researchers discovered that the privilege separation between the host and guest operating systems during speculative execution is imperfect. This allows for a new version of the branch target injection attack, which they’ve named “Virtualization-based Spectre-BTI” or vBTI.

As a result, the researchers were able to read arbitrary data from the host’s memory while only having access to a virtual machine with default settings. The data reading speed was 32 bytes per second on an AMD Zen 4 CPU, with nearly 100% reliability. That’s fast enough to steal things like data encryption keys, which opens a direct path to stealing information from adjacent virtual machines.

Is VMScape a threat in the real world?

AMD CPUs with Zen architecture from the first through the latest fifth generation have proved vulnerable to this attack. This is because of the subtle differences in how these CPUs implement Spectre attack protections, as well as the unique way the authors’ vBTI primitives operate. For Intel CPUs, this attack is only possible on servers with older Coffee Lake CPUs from 2017. Newer Intel architectures have improved protections that make the current version of the VMScape attack impossible.

The researchers’ achievement was designing the first-ever Spectre v2 attack in a virtual environment that’s close to real-world conditions. It doesn’t rely on overly permissive assumptions or crutches like malicious hypervisor-level software. The VMScape attack is effective; it bypasses many standard security measures, including KASLR, and successfully steals a valuable secret: an encryption key.

Fortunately, immediately after designing the attack, the researchers also proposed a fix. The issue was assigned the vulnerability identifier CVE-2025-40300, and it was patched in the Linux kernel. This particular patch doesn’t significantly reduce computational performance, which is often a concern with software-based protections against Spectre attacks.

Methods for protecting confidential data in virtual environments have existed for a while. AMD has a technology named “Secure Encrypted Virtualization” and its subtype, SEV-SNP, while Intel has Trusted Domain Extensions (TDX). These technologies encrypt secrets, making it pointless to try to steal them directly. The researchers confirmed that SEV provides additional protection against the VMScape attack on AMD CPUs. In other words, a real-world VMScape attack against modern servers is unlikely. However, with each new study, Spectre attacks look more and more realistic.

Despite the academic nature of the research, attacks that exploit speculative execution in modern CPUs remain relevant. Operators of virtualized environments should continue to consider these vulnerabilities and potential attacks in their threat models.