A team of academics of Eth Zurich and Google has discovered a new version of a Rohmar attack, targeting double data rate 5 (DDR5) memory chips from South Korean Semiconductor SK HYNIX.
Rowhammer attack variant, codenmade Sigh (CVE-2025-6202, CVSS Score: 7.1), is capable of ignoring the sophisticated security mechanisms imposed to oppose the attack.
“We have proved that it is possible to trigger Rowhammer bit flip on DDR5 devices from SK HYNix,” Eth Zurich said. “We also proved that the on-dye ECC does not stop Rohemmer, and the Rauhememer end-to-end attacks are still possible with DDR5.”
Rowhammer refers to a hardware vulnerability, where repeated access to a line of memory in the draam chip can trigger bit flip in adjacent rows, resulting in data corruption. This can later be armed to achieve unauthorized access to data by bad actors, increase privileges, or even due to refusal service.
Although it was first displayed in 2014, future draam chips are more likely to be susceptible to Rohammer attacks because Dram manufacturers depend on density scaling to increase the drama capacity.
In a study published by Ath Zurich researchers in 2020, it was found that “the new dram chips are more unsafe for Rohemmer: as the device reduces the size of the feature, the number of activeness required to induce a Rohmar bit flip also decreases.”
Further research in the subject has shown that it has several dimensions in vulnerability and is sensitive to many variables, including environmental conditions (temperature and voltage), process variation, stored data patterns, memory access patterns and memory control policies.
https://www.youtube.com/watch?v=1mxvq6_Qg
Some primary mitigations for Rowhammer attacks include error correction code (ECC) and target line refreshing (TRR). However, these counters have proved to be ineffective against more sophisticated attacks such as Treanspas, Smash, Half-Dabble and Lohar.
The latest findings of Eth Zurich and Google suggest that it is possible to bypass advanced TRR defense on DDR5 memory, opening the door for the researchers that the researchers “first equipped the Rohamemer Privilege escalation expects from the DDR5 memory to the DDR5 memory.”
In other words, the end result is an exploitation of a privilege increase that reduces the root on the DDR5 system in 109 seconds with default settings. In particular, the attack takes advantage of the fact that mitigation does not give some fresh interval sample to flip the bits on all 15 DDR5 memory chips in the test pool that arises between 2021 and 2024.
Possible exploitation landscapes involved in these bit flips allow the RSA-2048 key of a co-located virtual machine to be targeted to break the SSH authentication, as well as the root user use the Sudo binary to enhance local privileges.
Researchers said, “As the drama devices cannot be updated in the wild, they will remain insecure for many years.” “We recommend to increase the refresh rate to 3x, which stopped Phoenix from triggering bit flip on our testing systems.”
The disclosure came after the research teams of George Mason University and Georgia Institute of Technology, which are two separate Rohmar attacks respectively, which are called Oneflip and ECCFAL respectively.
While Oneflip Deep Neural Network (DNN) rotates a bit flip to change the model weight and activate unexpected behavior, Ecc.Fail is described as the first end-to-end Rowhammer attack to Ecc.Fail with Ecc.Fail.
Researchers said, “Unlike their PC counterparts, the server provides additional protection against memory data corruption (eg, Rohemar or Cosmic Ray Bit Flips), improving the error, as the researchers said. “These can detect bit flips in memory, and even potentially correct them. Ecc.fail bypass these safety by carefully motivating the Rohammar bit flip at some memory locations.”
