Phoenix Rowhammer Variant Bypasses DDR5 Protections, Grants Root in Under Two Minutes

Researchers have developed a new Rowhammer variant — Phoenix — that can defeat recent protection mechanisms in SK Hynix DDR5 chips and escalate to root on vulnerable systems in under two minutes.

Rowhammer, first demonstrated by researchers at Carnegie Mellon University in 2014, exploits the physical layout of DRAM. Repeated, rapid access to a set of memory rows (a process called “hammering”) can induce bit flips in neighboring rows because memory cells store information as electrical charge. Over time, that charge can change, flipping bits from 0 to 1 or vice versa.

How DDR5 defends — and how Phoenix defeats it

One common defense is Target Row Refresh (TRR), which detects unusually frequent accesses to a row and forces extra refreshes of adjacent rows to prevent flips. After reverse-engineering Hynix’s TRR and other DDR5 protections, researchers from Google and the COMSEC team at ETH Zurich found gaps in the monitoring of refresh intervals. Those gaps can be exploited.

Phoenix tracks and synchronizes thousands of refresh operations, compensating when refreshes are missed, and selectively targets activation slots at carefully chosen moments. By covering specific refresh intervals (notably 128 and 2608 intervals), the attack can avoid detection by TRR while still inducing bit flips.

Demonstrated impact and experiments

In lab tests the team was able to generate bit flips across all 15 DDR5 chips in their pool and build practical exploits for privilege escalation:

• Local root shell: On a standard DDR5 system with default settings, the researchers obtained a root shell in 109 seconds.
• Page Table Entry (PTE) targeting: By flipping PTEs to construct an arbitrary read/write primitive, all tested products were found vulnerable.
• RSA-2048 key targeting (VM): Attacking virtual machines’ RSA keys to break SSH authentication affected 73% of tested DIMMs.
• sudo binary tampering: Altering the sudo binary to escalate a local user to root succeeded on 33% of tested chips.

Across patterns, the shorter refresh-interval pattern (128 intervals) tended to produce more flips on average.

Scope, disclosure, and mitigation

The issue has been assigned CVE-2025-6202. According to the authors, Phoenix affects DDR5 DIMMs manufactured between January 2021 and December 2024. While the paper focused on Hynix parts (which the report notes hold about 36% of the market), the attack techniques could threaten modules from other vendors as well.

Rowhammer is fundamentally a hardware/physics problem and cannot be fully fixed for modules already shipped. The researchers note a potential mitigation: tripling the DRAM refresh interval (tREFI) can reduce exploitability — but that measure risks increased errors, data corruption, and system instability.

The team published an extensive write-up and supporting artifacts on GitHub, including FPGA experiments used to reverse-engineer TRR behavior and proof-of-concept exploit code.