New Rowhammer Attack Threatens DDR5 Memory
Introduction: Rowhammer vulnerability resurfaces against DDR5
The unsettling reality of hardware security is that no generation of memory is immune to clever exploitation. The latest research from Google’s Project Zero together with the systems-security group at ETH Zurich shows a new Rowhammer vulnerability that undermines some DDR5 modules. What was sold as a more secure era of DRAM—featuring on-die ECC, Targeted Row Refresh (TRR) and other countermeasures—has proven less bulletproof in particular platform and module pairings. For cloud providers, hardware vendors and security teams, this discovery is a timely reminder that layered defenses must be validated across the entire system stack.
What the researchers found
The teams identified a mode of exploitation specific to combinations of certain AMD platforms and SK Hynix DDR5 modules. In these configurations, the interaction between the CPU’s memory controller behavior and the memory modules’ internal refresh and mitigation logic can create timing and refresh characteristics that fail to trigger protective measures or allow them to be bypassed. The practical consequence: carefully timed native or low-level code can induce bit flips in rows adjacent to the targeted memory accesses, potentially enabling privilege escalation, corruption of data, or cross-tenant leakage in multi-tenant environments such as public clouds.
Rowhammer is a known class of attack
Rowhammer itself is not new. Since 2014, researchers have shown that repeatedly accessing—or “hammering”—specific DRAM rows can cause electromagnetic or charge disturbances that flip bits in neighboring rows. Those bit flips have been exploited to break security boundaries, compromise integrity, and escalate privileges. DDR5 brought several mitigations and was marketed as a generation that would largely close this chapter; the new findings demonstrate that mitigations distributed across chips and controllers can still be undermined when coordination fails.
Technical root causes
The technical challenge is that DDR5’s defensive features depend on correct interaction between the memory die, the module firmware, the memory controller, and platform firmware. On-die ECC can correct some errors, but its effectiveness depends on how and when errors occur. TRR and similar mitigations rely on detecting suspicious access patterns and issuing targeted refreshes. If vendor-specific timing characteristics or refresh implementations differ, detection can lag or misfire, leaving transient windows where a Rowhammer-style attack can succeed. The current advisory points to those coordination failures as the enabler of exploitable bit flips on affected AMD/SK Hynix pairings.
Who needs to care — and what they should do
– Cloud providers and data-center operators: Prioritize inventory and triage. Identify systems using the implicated AMD platforms with SK Hynix DDR5 modules. Expect vendor advisories and staged mitigation updates—microcode, platform firmware, or memory module firmwares may be required. Large fleets need careful testing to avoid regressions and performance impacts. Consider isolating high-risk workloads or restricting untrusted native code until patches are applied.
– Enterprise and government stakeholders: This incident highlights the need for procurement and cybersecurity policies that consider hardware-level risk, patchability, and supplier transparency. Regulators and procurement officers should incorporate requirements for coordinated disclosure and verifiable mitigation plans into contracts for critical infrastructure.
– Desktop and laptop users: Casual users are less likely to be targeted because an attacker typically needs native code execution. Nonetheless, users should apply firmware and OS updates as vendors release them and heed vendor advisories.
– Security teams and defenders: Adopt multi-layer defenses: limit untrusted native code execution, enable any available ECC or parity options, and deploy system-level protections that hinder precise memory-access patterns. Update risk models for multi-tenant systems and environments that execute third-party code.
Industry response and coordination
Google Project Zero and ETH Zurich followed responsible-disclosure norms, notifying AMD and SK Hynix and coordinating a public advisory while vendors investigate fixes. AMD and SK Hynix have acknowledged the reports and are working on potential microcode or firmware updates. Typical vendor workflows include reproducing the issue, developing mitigations, and rolling out patches—steps that can take time when hardware-level behavior is implicated. Operators should track vendor advisories and apply mitigations promptly once validated.
Broader implications: supply chains and system-level security
This incident underscores that security is often a system property, not merely a product attribute. The vulnerability emerged from an interaction between a CPU vendor and a memory manufacturer, illustrating how third-party component behaviors can combine to create unforeseen risks. It raises critical questions about disclosure timelines, testing rigor for integrated systems, and the speed at which the industry can coordinate fixes for hardware-level issues.
The long arc of Rowhammer defenses
History shows that Rowhammer-style problems have been mitigated repeatedly but rarely eliminated instantly. Each memory generation brings improvements, but new interactions and timing quirks continue to surface. Effective defense requires vigilance, transparent vendor communication, thorough end-to-end validation of mitigation mechanisms, and the ability to deploy low-level fixes without destabilizing production fleets.
Conclusion: stay alert to Rowhammer vulnerability risks
The new Rowhammer vulnerability against DDR5 is a clear reminder that hardware security progresses incrementally. Organizations should inventory affected hardware, prioritize mitigations, and maintain layered defenses that do not assume a single silver-bullet fix. As researchers and vendors continue to investigate and patch, the security community must treat such discoveries as opportunities to strengthen trust in the layers beneath our software and to improve coordination across the hardware supply chain.




