DDR5 memory remains susceptible to Rowhammer vulnerabilities, as demonstrated by the Phoenix root privilege escalation attack
In a recent development, scientists from ETH Zürich's Computer Security Group (COMSEC) and Google have disclosed a proof-of-concept attack on DDR5 RAM called Phoenix. The attack, with the CVE number 2025-6202, has raised concerns about the security of DDR5 memory and the need for the PRAC (Per-Row Activation Counting) standard.
Phoenix is an evolution of existing Rowhammer-style attacks that repeatedly "hammer" a set of RAM locations with reads, in a specific pattern, to force at least one bit to flip via electromagnetic interference. The team replicated scenarios with a 100% success rate in manipulating Page Table Entries (PTE), granting access to forbidden locations in memory. They also achieved a 73% chance of extracting SSH login keys from a virtual machine in the same server and a 33% probability of getting root access due to manipulating the in-memory binary for the sudo utility.
The PRAC standard, first announced for a future DDR5 revision, is designed to help mitigate Rowhammer attacks. This standard keeps an accurate count of sequential accesses to a memory row and alerts the host system if a limit is exceeded. Google, in a blog post, highlighted that DDR5's TRR (Row-to-Row Refresh Time) and ECC/ODECC (Error Correction Code and On-Die Error Correction Code) are not deterministic and can't fully resolve the problem.
The attack was only tested on an AMD Zen 4 platform against 15 SK hynix DDR5 DIMMs from 2021-2024. Google, in collaboration with JEDEC, the consortium that defines memory standards, is leading a effort for better RAM security. The findings were revealed past June 6 to SK hynix, CPU vendors, and the major cloud platforms, and will be published at the IEEE Security & Privacy 2026 conference.
Interestingly, the upcoming LPDDR6 standard is integrating PRAC from the start. However, there's no bulletproof mitigation for this issue yet. An impending BIOS update for AMD client systems is expected to address this problem. Increasing the row refresh rate (tREFI) in the machine's UEFI by 3 times down to around 1.3 μs makes the attacks unlikely to succeed, but this comes at a steep cost, as it results in an 8.4% performance hit according to a benchmark with the SPEC CPU2017 suite.
The search results do not contain information about who initiated the project for developing the PRAC standard for DDR5 RAM. Nonetheless, the need for such a standard is clear, as Phoenix bypasses DDR5's preventive measures for Rowhammer-style attacks and neither ECC nor ODECC are of help. The PRAC standard, if implemented effectively, could potentially put an end to Rowhammer attacks.
For those concerned about the security of their DDR5 RAM, it's recommended to keep an eye on updates from manufacturers and security researchers. The proof-of-concept software for Phoenix can be downloaded from COMSEC's Phoenix GitHub repository.
