New Phoenix Exploit Shows DDR5 Memory Still Vulnerable to RowHammer

Researchers from ETH Zürich and Google have revealed a new RowHammer attack called Phoenix, which is able to defeat the protections built into DDR5 memory modules. The team demonstrated that Phoenix could reliably trigger bit flips and escalate privileges on real DDR5 hardware, completing one exploit in as little as 109 seconds. This finding proves that even the latest memory technology, previously thought to be resistant to RowHammer, is still vulnerable to carefully designed attacks.

RowHammer has been a known issue in computer memory for nearly a decade. It works by repeatedly accessing specific memory rows, which causes electrical interference in nearby rows and flips stored bits. These seemingly small changes can lead to serious consequences, such as corrupting operating system page tables, altering cryptographic keys, or enabling attackers to gain root privileges. DDR5 was introduced with stronger defenses, giving many the impression that RowHammer was a solved problem. However, Phoenix shows that the issue is far from gone.

The main defense in DDR5 is Target Row Refresh (TRR). TRR attempts to detect aggressive memory access patterns and automatically refreshes neighboring rows to prevent bit flips. Yet the researchers found that TRR is more complex than expected, with behavior that spans multiple refresh intervals. By carefully studying these patterns, the team was able to craft new hammering techniques that avoid detection and still cause memory corruption.

To make the attack practical, Phoenix uses two innovations. First, it introduces hammering sequences tailored specifically to bypass the observed TRR protections. Second, it relies on a method called self-correcting synchronization, which keeps the attack aligned with the memory’s refresh cycles over thousands of operations. Without this synchronization, the attack would quickly lose its effect. With it, Phoenix was able to consistently produce bit flips on DDR5 modules that were previously thought secure.

The researchers did not stop at theoretical testing. They applied Phoenix to real-world targets on commodity systems. Demonstrations included corrupting page table entries, tampering with RSA keys, and even modifying the sudo binary. In one striking result, the team achieved a full privilege escalation in just 109 seconds, proving that Phoenix is not only reliable but also fast enough to be practical in real attack scenarios.

Their tests across different DDR5 modules confirmed that Phoenix works on more than just a single device. While not every DDR5 module may react in the same way, the results show that TRR implementations are not universally effective. This means DDR5 cannot yet be considered immune to RowHammer, and different modules may carry different levels of risk depending on how their protections are designed.

The impact of this discovery is significant. Many system designers, data center operators, and security professionals assumed DDR5 had largely solved RowHammer-related problems. Phoenix challenges that assumption and demonstrates that attackers can still exploit memory hardware directly, without needing a software vulnerability. In environments where reliability and security are critical, such as cloud platforms, the potential damage from these attacks could be severe.

The research also explored possible defenses. Increasing the memory refresh rate was found to be an effective countermeasure against Phoenix. In fact, tripling the refresh rate blocked the attack on tested devices. However, this came with a heavy price: around 8.4% performance loss in benchmarks like SPEC2017. For large-scale systems where performance and efficiency are vital, this is not a practical solution. Firmware updates, operating system protections, or changes in future DRAM designs may be required to fully address the threat.

Phoenix is a reminder that hardware security must continue to evolve alongside technology. Even though DDR5 introduced new defenses, creative research has already found ways around them. The speed and reliability of Phoenix show that RowHammer remains a real-world danger. Manufacturers and system architects will need to respond quickly, as history has shown that attacks which start in academic research can later be adapted for malicious purposes.

In conclusion, Phoenix proves that DDR5 protections are not as strong as many believed. While not every DDR5 module is proven vulnerable, the fact that attacks can succeed so quickly makes the risk impossible to ignore. The responsibility now lies with hardware makers, cloud providers, and security experts to take these findings seriously and work on stronger safeguards before such techniques are exploited outside the lab.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news