New VMScape attack breaks guest-host isolation on AMD, Intel CPUs

What’s new: A new attack named VMScape has been discovered, which allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor on modern AMD and Intel CPUs. This attack breaks guest-host isolation and bypasses existing Spectre mitigations, posing a risk to sensitive data in cloud environments. It affects all AMD processors from Zen 1 to Zen 5 and Intel’s “Coffee Lake” CPUs, while newer “Raptor Cove” and “Gracemont” CPUs are not impacted. The attack exploits shared Branch Prediction Units (BPU) to leak data at a rate of 32 bytes/second.

Who’s affected

Organizations using AMD processors (Zen 1 to Zen 5) and Intel processors (Coffee Lake) in virtualized environments are at risk. The vulnerability has been assigned CVE-2025-40300.

What to do

• Apply the latest patches released by Linux kernel developers that mitigate VMScape by implementing an Indirect Branch Prediction Barrier (IBPB) on VMEXIT.
• Review security bulletins from AMD and Intel for further guidance and updates.

Sources

• BleepingComputer