Security researchers have revealed a newly discovered hardware vulnerability in AMD processors that weakens the protections offered by Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP), a technology widely used to secure confidential virtual machines in cloud environments.
The flaw, named StackWarp, was disclosed by a team of academics from the CISPA Helmholtz Center for Information Security in Germany. It affects AMD Zen 1 through Zen 5 architectures and enables a privileged host attacker to execute malicious code inside protected virtual machines, breaking key integrity guarantees.
How StackWarp Works
SEV-SNP is designed to isolate virtual machines by encrypting memory and preventing hypervisors from tampering with guest workloads. However, researchers found that StackWarp bypasses these protections by exploiting a microarchitectural optimization known as the “stack engine,” which accelerates stack-related CPU operations.
By abusing an undocumented hypervisor-level control bit, a malicious host can corrupt the stack pointer of a confidential virtual machine. This manipulation allows attackers to redirect execution flow or alter sensitive data without accessing plaintext memory directly.
According to the researchers, this flaw enables remote code execution and privilege escalation inside confidential VMs, even though the memory contents remain encrypted.
Severity and Impact
AMD has assigned the vulnerability the identifier CVE-2025-29943 and rated it as medium severity with a CVSS v4 score of 4.6. The company classified the issue as an improper access control flaw that could allow administrators with sufficient privileges to influence CPU pipeline behavior, resulting in stack corruption inside SEV-SNP guests.
The vulnerability impacts several AMD enterprise and embedded processor families, including:
- EPYC 7003 Series
- EPYC 8004 Series
- EPYC 9004 and 9005 Series
- EPYC Embedded 7003, 8004, 9004, and 9005 Series
Real-World Exploitation Risks
Researchers demonstrated that StackWarp can be leveraged to extract sensitive cryptographic material from protected environments. In one scenario, the flaw was used to recover an RSA-2048 private key from a single faulty signature, effectively bypassing authentication safeguards such as OpenSSH password prompts and sudo protections.
The attack can also achieve kernel-level code execution within a virtual machine, posing a serious risk to cloud platforms that rely on SEV-SNP to protect tenant workloads from compromised or malicious hosts.
Mitigations and Patches
AMD has released microcode updates addressing the issue in July and October 2025. Additional AGESA firmware updates for EPYC Embedded 8004 and 9004 processors are scheduled for release in April 2026.
Security experts recommend that operators of SEV-SNP-enabled systems immediately apply available firmware updates. As an interim mitigation, environments with high integrity requirements should consider disabling simultaneous multithreading (SMT), as the attack relies on a parallel hyperthread to manipulate the victim VM.
Part of a Broader Pattern
StackWarp builds on earlier research from CISPA, including the CacheWarp attack disclosed in 2023, which similarly demonstrated how subtle hardware behaviors can undermine virtualization security. Both findings highlight ongoing challenges in defending against microarchitectural attacks, even in environments designed with strong isolation guarantees.
Looking Ahead
The discovery of StackWarp underscores the evolving nature of hardware-level threats and the importance of timely firmware updates in cloud and enterprise environments. As confidential computing adoption increases, researchers warn that continued scrutiny of CPU internals will be critical to maintaining trust in virtualization-based security models.
