Several AMD EPYC processor families have been found vulnerable to a new hardware-level attack that undermines protections designed for confidential virtual machines. The affected chips include both standard and embedded variants across the EPYC 7003, 8004, 9004, and 9005 series.
The issue targets Secure Encrypted Virtualization (SEV), a security feature meant to protect virtual machine memory from the hypervisor itself. While SEV encrypts VM memory to prevent direct inspection, new research shows attackers do not need to read memory contents to break isolation.
Researchers from CISPA discovered that a low-level processor optimization known as the stack engine can be abused. This component accelerates stack-related operations inside the CPU. By manipulating a previously undocumented hypervisor control bit, an attacker running on a parallel hyperthread can interfere with how a protected VM manages its stack pointer.
This manipulation allows attackers to alter program execution or tamper with sensitive data inside the encrypted virtual machine. The attack technique, named StackWarp, makes it possible to extract secrets from SEV-protected environments running on AMD-based cloud infrastructure.
In practical terms, the researchers demonstrated that StackWarp can recover an RSA-2048 private key using a single faulty cryptographic signature. With that key, an attacker could bypass authentication mechanisms in tools such as OpenSSH, defeat sudo password prompts, and ultimately gain kernel-level code execution within the virtual machine.
AMD has already issued microcode updates to address the vulnerability, releasing fixes in July and October 2025. Additional AGESA firmware updates for EPYC Embedded 8004 and 9004 processors are planned for April 2026.
This discovery builds on earlier CISPA research into another SEV-related weakness known as CacheWarp (CVE-2023-20592). That earlier attack also exploited hardware design behavior to hijack control flow and escalate privileges inside encrypted virtual machines. Both CacheWarp and StackWarp fall into the category of architectural attacks, highlighting how subtle CPU behaviors can weaken system-level security guarantees.
Security experts advise organizations running SEV-SNP workloads to take immediate action. Systems should be checked for enabled hyper threading, which may need to be temporarily disabled for highly sensitive workloads. Applying all available microcode and firmware updates is strongly recommended.
StackWarp serves as another reminder that even advanced hardware-based isolation mechanisms can be compromised through micro architectural side effects, reinforcing the need for layered defenses and continuous hardware security evaluation.