A newly disclosed Spectre Branch Target Injection (BTI) exploit, dubbed VMScape, demonstrates that modern AMD Zen and Intel Coffee Lake processors remain vulnerable to guest-to-host speculative execution attacks despite recent hardware mitigations.
Unlike previous Spectre-BTI techniques requiring hypervisor code modifications, VMScape operates against unmodified QEMU-based Kernel-based Virtual Machine (KVM) deployments, enabling an attacker-controlled guest VM to leak arbitrary host memory at a sustained rate of 32 bytes per speculation window.paste.txt
VMScape leverages a novel virtualization-based BTI (vBTI) primitive—vBTI<sub>GU→HU</sub>—that arises from incomplete branch predictor isolation across guest user (GU) and host user (HU) domains.
Through careful reverse engineering of branch prediction units on AMD Zen 1–5 and Intel Coffee Lake microarchitectures, researchers discovered that indirect branch predictions trained in a guest VM persist into the host user context, allowing malicious speculation into disclosure gadgets resident in QEMU’s userspace.
By mapping the guest’s memory into QEMU’s address space, the exploit uses FLUSH+RELOAD side-channel techniques within a high-precision speculative window extended via targeted LLC eviction sets, enabling recoveries of cryptographic disk-encryption keys in under 20 minutes.paste.txt
Spectre-BTI mitigations such as Enhanced Indirect Branch Restricted Speculation (eIBRS) and Automatic IBRS (AutoIBRS) on AMD reduce cross-privilege leakage but fail to distinguish between the four protection domains in virtualized environments.
Even the latest privilege-tagging enhancements on Zen 5 require AutoIBRS to prevent GU→HU interference, underscoring that single-bit privilege tags are insufficient to isolate host and guest branch predictor entries.paste.txt
Mitigation strategies now center on issuing an Indirect Branch Prediction Barrier (IBPB) on every VMEXIT before returning to QEMU userspace.
Linux kernel maintainers have deployed an IBPB-before-exit-to-userspace patch that conditionally flushes branch predictor state only when necessary, reducing the UnixBench performance overhead from 57 percent under an unoptimized IBPB-on-VMEXIT approach to a negligible 1 percent in typical VM workloads.
Disk-I/O-intensive scenarios incur up to a 5 percent slowdown, a reasonable trade-off given the severity of VMScape’s cross-boundary memory exfiltration.paste.txt
VMScape is tracked as CVE-2025-40300 and has been responsibly disclosed to AMD and Intel PSIRTs under embargo until September 11, 2025.
Patches implementing IBPB-before-exit-to-userspace are available in Linux kernel 6.8 and later, and cloud providers are urged to deploy updated KVM/QEMU packages immediately.
This disclosure reaffirms that speculative execution attack surfaces persist in virtualization stacks and that isolation of branch predictor state must be strengthened at finer granularities than privilege level alone.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=VMScape leverages a novel virtualization-based BTI (vBTI) primitive—vBTIGU→HU—that arises from incomplete branch predictor isolation across guest user (GU) and host user (HU) domains.){kind=link}