Researchers at the German information security center CISPA Helmholtz have discovered a vulnerability in AMD processors that allows data transfer in secure virtual environments. The issue affects a specific requirement of AMD SEV-SNP, which is designed to run a virtual machine from a hypervisor.
The vulnerability, dubbed StackWarp, allows an attacker with access to the host server to obtain sensitive data from AMD SEV-SNP guest systems. During their experiments, the researchers were able to obtain a private RSA-2048 key, bypass OpenSSH and sudo password authentication, and obtain kernel-level execution code.
AMD was notified of the vulnerabilities (CVE-2025-29943), released patches in July 2025, and has now published a security bulletin classifying the issue as low severity.
The attack exploits the stack engine in AMD Zen processors. A stack is a memory structure that computers use to manage function calls, local variables, and return addresses. The position of the stack's top points is tracked by a special register called the stack pointer.
To speed up stack operations, AMD and Intel processors implement a stack engine in the processor's front end, which tracks changes to the stack pointer. Researchers discovered that a single bit, bit 19 in the undocumented MSR register 0xC0011029, could disrupt synchronization between logical cores and corrupt data in an adjacent thread.
"The vulnerability can be exploited through a previously undocumented control bit on the hypervisor side," explained CISPA researcher Ruyi Zhang. "An attacker running a hyperthread in parallel with an electrical signal could use this to manipulate the position of the stack pointer within a protected VM."
The attack is possible with SMT (Simultaneous Multithreading), which allows a processor core to execute multiple threads simultaneously, enabled. As AMD itself notes, SMT distributes core resources between two threads, making it a common target for external attacks.
AMD's SEV-SNP technology, like Intel's TDX, leverages cloud providers to provide sensitive virtual machines, guaranteeing robust hardware isolation between the VM, hypervisor, and host control code. StackWarp demonstrates that this promise can be broken by a single bit flip.
The researchers described their findings in a paper to be published at the USENIX Security 2026 conference. The exploit code is already available on GitHub.
"These results demonstrate that enabling SMT today undermines the purpose of SEV-SNP: a neighboring core can alter the control and data flow of a guest system through a shared frontend switch using an instruction," the researchers conclude.
Administrators are advised to install available updates from AMD.
