New VMScape attack breaks guest-host isolation on AMD, Intel CPUs www.bleepingcomputer.com/news/secu…

A new Spectre-like attack dubbed VMScape [CVE-2025-40300] allows a malicious VM to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs. The attack breaks the isolation between VMs and the cloud hypervisor, bypassing existing Spectre mitigations and threatening to leak sensitive data by leveraging speculative execution. The researchers highlight that VMScape does not require compromising the host and works on unmodified virtualization software with default mitigations enabled on the hardware.

VMScape was developed by a team of researchers at ETH Zurich public university in Switzerland, who discovered that it affects all AMD processors from Zen 1 to Zen 5, as well as Intel’s “Coffee Lake” CPUs. The newer, “Raptor Cove” and “Gracemont” are not impacted.

Linux kernel developers released patches that mitigate VMScape by adding an IBPB (Indirect Branch Prediction Barrier) on VMEXIT, effectively flushing the BPU when switching from guest to host. The researchers say that this mitigation has minimal performance impact in common workloads.

Virtualization is the backbone of cloud computing, and if one guest machine can read memory from the host, it threatens multi-tenant cloud security. However, it is essential to emphasize that attacks like VMScape require advanced knowledge, deep technical expertise, and sustained execution time. Because of this, such attacks, even if possible, do not represent a threat to the larger userbase.