Researchers from the University of Zurich ETH presented the attack vmscape, which is similar to Spectre and poses a threat to virtualization infrastructure. This attack allows a malicious virtual machine to extract cryptographic keys from the Qemu hypervisor process on modern AMD and Intel processors without any modifications.
The main concern is that this attack can breach the isolation between guest and host systems, even with standard protection measures against Spectre in place. In theory, an attacker could rent a virtual machine from a cloud provider to initiate the leakage of secrets from a hypervisor or neighboring guest environments.
This vulnerability has been assigned the identifier CVE-2025-40300 and affects all generations of AMD Zen processors from the first to the fifth, as well as Coffee Lake generation processors. However, newer architectures like Raptor Cove and Gracemont are not vulnerable to this issue. The vulnerability is related to incomplete isolation of Branch Prediction Units, allowing a guest system user to manipulate branch predictions in the hypervisor through various structures like Branch Target Buffer, Indirect Branch Predictor, and Branch History Buffer.
Researchers demonstrated the ability to manipulate branching in Qemu, forcing it to speculatively execute a specific gadget that leaks secret data accessible for reading through Flush+Reload. By exploiting techniques like AMD Zen 4, ASLR bypass, branch collision search, and virtual address selection, the researchers achieved a leakage rate of 32 bytes per second with 98.7% accuracy. This could lead to extracting significant amounts of sensitive data, like a disk encryption key, in a matter of minutes.
This vulnerability poses serious risks for cloud services as virtualization is fundamental for multi-user environments. However, the attack requires extensive technical knowledge, stability, and time, mitigating risks for mass users.
The vulnerability was reported to AMD and Intel on June 7, 2025. AMD released a security bulletin stating that the Linux kernel now includes a protective mechanism to address this issue. The mechanism implements an Indirect Branch Prediction Barrier (IBPB) when transitioning from guest to host, effectively clearing prediction blocks with minimal impact on performance under normal loads.