New VMScape attack breaks guest-host isolation on AMD, Intel CPUs
What’s new: A new attack named VMScape has been discovered that breaks guest-host isolation on AMD and Intel CPUs, allowing a malicious virtual machine to leak cryptographic keys from an unmodified QEMU hypervisor process. This attack bypasses existing Spectre mitigations and targets all AMD processors from Zen 1 to Zen 5 and Intel’s Coffee Lake CPUs. The researchers from ETH Zurich reported the issue to AMD and Intel on June 7, 2023, and it has been assigned CVE-2025-40300.
Who’s affected
All AMD processors from Zen 1 to Zen 5 and Intel Coffee Lake CPUs are affected. The newer Raptor Cove and Gracemont architectures are not impacted. The attack poses a risk to multi-tenant cloud environments where guest machines can potentially read memory from the host.
What to do
- Apply the latest patches released by Linux kernel developers that mitigate VMScape by adding an Indirect Branch Prediction Barrier (IBPB) on VMEXIT.
- Review security bulletins from AMD regarding CVE-2025-40300 for further guidance.
- Monitor for updates from your virtualization software provider to ensure you are using the most secure configurations.
