StackWarp: AMD SEV-SNP Vulnerability Exposes Cloud VM Secrets via Single Bit Flip
#Vulnerabilities

StackWarp: AMD SEV-SNP Vulnerability Exposes Cloud VM Secrets via Single Bit Flip

Hardware Reporter
6 min read

A newly disclosed vulnerability dubbed StackWarp (CVE-2025-29943) allows attackers to break AMD's Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) isolation by flipping a single undocumented bit in the CPU's stack engine, potentially exposing cryptographic keys and sensitive data in confidential virtual machines.

The Vulnerability: Stack Engine Exploitation

Security researchers from the CISPA Helmholtz Center for Information Security in Germany have uncovered a critical vulnerability in AMD's Zen microarchitecture that undermines the security guarantees of AMD SEV-SNP, the company's flagship confidential computing technology. Dubbed StackWarp (CVE-2025-29943), the flaw exploits the CPU's stack engine—a microarchitectural feature designed to accelerate stack operations—to break the isolation between virtual machines and their hypervisors.

The attack targets a specific control bit (bit 19) in an undocumented core-scoped model-specific register (MSR) at address 0xC0011029. By flipping this single bit, an attacker running on a sibling hyperthread can manipulate the stack pointer position inside a protected VM, effectively breaking the integrity guarantees that SEV-SNP is designed to provide.

Featured image

How Stack Engine Acceleration Creates a Vulnerability

Modern CPUs implement a stack engine in the frontend to track stack pointer changes (delta) without requiring constant synchronization with the CPU backend. This optimization allows common stack operations like function calls and returns to complete efficiently by maintaining a running delta of stack pointer modifications.

The researchers discovered that by disabling the stack engine while stack operations are in flight, the accumulated delta becomes "frozen"—stores commit to memory, but the architectural stack-pointer update is withheld. This creates a window where an attacker can corrupt the synchronized sibling thread's control flow with instruction-level precision.

In their paper "StackWarp: Breaking AMD SEV-SNP Integrity via Deterministic Stack-Pointer Manipulation through the CPU's Stack Engine", the researchers detail how this mechanism allows:

  1. Recovery of cryptographic private keys - By manipulating stack operations during cryptographic computations
  2. Bypass of OpenSSH password authentication - Through stack corruption in authentication routines
  3. Privilege escalation - By modifying kernel stack data structures
  4. Ring 0 code execution - Achieved by corrupting kernel control flow

Attack Scenario and Requirements

StackWarp requires specific conditions to be exploitable:

  • AMD SEV-SNP enabled - The vulnerability affects AMD's Secure Encrypted Virtualization-Secure Nested Paging, the successor to SEV and SEV-ES
  • Simultaneous Multithreading (SMT) enabled - The attack leverages shared resources between logical sibling cores
  • Malicious host control - An attacker must have control over the host server and be able to run a hyperthread in parallel with the target VM

This makes the vulnerability particularly concerning for cloud providers offering confidential virtual machines (CVMs) on AMD hardware. AMD SEV-SNP, like Intel TDX, is designed to provide "robust hardware-based isolation between virtual machines, hypervisor, and host management code"—a promise that StackWarp demonstrates can be broken with a single bit flip.

AMD's Response and Patch Timeline

AMD was notified of the vulnerability and released patches in July 2025. The company has now published a security bulletin designating the issue as "low severity," a classification that has drawn criticism from security researchers given the potential impact on confidential computing deployments.

The fix requires both:

  1. CPU microcode updates from AMD
  2. Firmware updates from OEMs - System manufacturers must integrate and distribute the updated microcode

Cloud providers and data center operators running AMD SEV-SNP workloads should verify that their systems have received the necessary updates. The researchers have published proof-of-concept exploit code on GitHub, demonstrating the practical feasibility of the attack.

Broader Implications for Confidential Computing

StackWarp represents another challenge to the security model of confidential computing. While hardware-based isolation technologies like SEV-SNP and Intel TDX promise to protect VMs from malicious hypervisors and other tenants, microarchitectural vulnerabilities continue to undermine these guarantees.

The vulnerability highlights several critical considerations:

SMT as a Persistent Attack Vector

The researchers conclude that "keeping SMT enabled today undermines SEV-SNP's integrity goals." This echoes longstanding concerns about Simultaneous Multithreading as an attack surface. Many security-conscious deployments already disable SMT entirely, but this comes with performance penalties.

Microarchitectural Complexity vs. Security

Features like stack engines, branch predictors, and cache hierarchies are designed for performance, not security. As CPUs become more complex, the attack surface for side-channel and microarchitectural attacks expands.

The Challenge of Complete Isolation

True isolation between VMs and hypervisors remains elusive when both share the same physical hardware. Even with encryption and memory protection, microarchitectural state can leak information or be manipulated.

Practical Recommendations for System Administrators

For Cloud Providers

  1. Apply AMD's microcode updates immediately - Coordinate with OEMs to ensure firmware updates are deployed
  2. Consider SMT disabling for confidential VMs - Evaluate the performance impact vs. security benefit
  3. Monitor for additional CVEs - StackWarp may be part of a broader class of stack engine vulnerabilities

For On-Premises Deployments

  1. Check your BIOS/UEFI firmware - Ensure you're running the latest version from your system vendor
  2. Verify microcode updates - Linux users can check /proc/cpuinfo for microcode versions
  3. Assess SEV-SNP usage - If you're using AMD's confidential computing features, prioritize patching

For Security Researchers

The published paper provides detailed technical analysis of the stack engine mechanism and the attack methodology. The GitHub repository includes proof-of-concept code that demonstrates the vulnerability.

The State of AMD SEV-SNP Security

StackWarp joins a growing list of vulnerabilities affecting AMD's confidential computing stack. Previous research has identified issues in SEV and SEV-ES, including:

  • SEV-ES memory encryption bypasses through cache timing attacks
  • SEV guest memory disclosure via side channels
  • Hypervisor-to-guest information leaks in early SEV implementations

Each vulnerability has prompted AMD to improve its security architecture, but the cat-and-mouse game continues. SEV-SNP introduced significant improvements over earlier versions, including:

  • Reverse map tables to prevent hypervisor memory manipulation
  • Integrity protection for VM memory pages
  • Attestation mechanisms for verifying VM integrity

However, StackWarp demonstrates that microarchitectural optimizations can still undermine these protections.

Looking Ahead: The Future of Hardware Security

The discovery of StackWarp raises important questions about the future of hardware-based security:

Performance vs. Security Trade-offs

The stack engine exists to improve performance. Removing or disabling such features impacts computational efficiency. As security requirements increase, hardware designers face difficult choices about which optimizations to preserve.

The Need for Formal Verification

Microarchitectural features are complex and difficult to verify formally. The undocumented nature of the MSR at the heart of StackWarp suggests that even AMD's engineers may not have fully understood the security implications of this control bit.

Transparency in Hardware Design

The vulnerability underscores the need for greater transparency in CPU microarchitecture. While trade secrets are important, the security community needs visibility into hardware mechanisms to properly assess risks.

Conclusion

StackWarp serves as a reminder that hardware security is an ongoing process, not a solved problem. While AMD's patches address this specific vulnerability, the underlying challenge of ensuring complete isolation on shared hardware remains.

For organizations relying on AMD SEV-SNP for confidential computing, immediate patching is essential. The vulnerability's classification as "low severity" by AMD may reflect the specific attack conditions required, but the potential impact on cryptographic keys and authentication systems warrants urgent attention.

As confidential computing continues to gain adoption in cloud and enterprise environments, vulnerabilities like StackWarp highlight the importance of defense-in-depth strategies, including:

  • Regular security updates for both software and firmware
  • Monitoring for anomalous behavior in confidential VMs
  • Complementary security controls beyond hardware isolation
  • Continuous security research into microarchitectural vulnerabilities

The researchers' work demonstrates that even hardware-level security guarantees can be broken with sufficient ingenuity—and sometimes, as with StackWarp, with just a single bit flip.

References and Further Reading:

#Vulnerabilities#AMD#Confidential Computing#Microarchitecture#Cloud Security

Comments

Loading comments...
Back to Home