A new cybersecurity threat named VMScape has emerged, echoing the notorious Spectre attack by breaking down the critical walls that separate virtual machines (VMs) from their hosts. This vulnerability allows a malicious actor operating from within a guest virtual machine to extract sensitive information, like cryptographic keys, from the underlying hypervisor—the software that manages the VMs—without any need for it to be compromised.

This attack poses a significant risk to cloud infrastructure, where multiple customer VMs run on a single physical server. Crucially, VMScape bypasses existing Spectre mitigations and works on modern AMD and Intel CPUs with default hardware protections enabled, meaning an attacker could theoretically rent a VM from a cloud provider and use it to steal secrets from the host or neighboring tenants.

How the VMScape Attack Works

Modern processors rely on speculative execution to maximize performance. To prevent leaks from this process, CPUs implement isolation for Branch Prediction Units (BPUs) between guests and hosts. However, researchers from ETH Zurich in Switzerland discovered this isolation is incomplete.

The attack exploits shared BPU structures—specifically the Branch Target Buffer (BTB) and Branch History Buffer (BHB). A guest VM can influence the host’s branch prediction, tricking it into speculatively executing unintended code paths. The attack specifically targets QEMU, a widely used hypervisor component. Because QEMU maps guest memory into its own address space, it opens the door for a classic FLUSH+RELOAD cache side-channel attack.

The researchers used a Spectre-BTI (Branch Target Injection) technique to misdirect a branch in QEMU, forcing it to speculatively run a “disclosure gadget” that leaks secret data. To extend the window for this speculative execution, the attacker evicts specific cache entries from within the guest VM.

Bypassing Security Protections

A key hurdle for any such attack is defeating Address Space Layout Randomization (ASLR), a security feature that randomizes memory addresses. VMScape overcomes ASLR by probing for branch collisions to locate its target gadget and then brute-forcing the address of the reload buffer. This demonstrates a sophisticated understanding of low-level CPU behavior.

The researchers demonstrated that VMScape can successfully leak arbitrary data from QEMU at a rate of 32 bytes per second with remarkable 98.7% accuracy. At this speed, a 4KB disk encryption key could be exfiltrated in approximately 128 seconds. The entire end-to-end exploit, including bypassing ASLR, takes just under 13 minutes.

Impact and Mitigation on Cloud Security

Virtualization is the absolute foundation of modern cloud computing. The ability of one guest VM to read host memory directly challenges the core security promise of multi-tenant cloud environments. This vulnerability affects a wide range of AMD processors (from Zen 1 to Zen 5) and Intel’s “Coffee Lake” CPUs, though newer Intel architectures like “Raptor Cove” are not impacted.

It is vital to contextualize this threat. Executing a VMScape attack requires immense technical expertise, advanced knowledge, and a sustained execution window. Therefore, it does not pose an immediate risk to the average user and is more of a concern for high-value targeted attacks rather than widespread exploitation.

Cloud providers and hardware manufacturers are undoubtedly analyzing this research to develop new firmware and software mitigations. This discovery highlights the ongoing cat-and-mouse game between cybersecurity researchers and hardware vulnerabilities, underscoring the need for continuous vigilance in cloud security design.