Hackers can flip bits in RAM to escalate privileges and take over systems

Published: 18 September 2025
Last updated: 18 September 2025
ddr5 module hacked
Image by Cybernews.

Even if hackers don’t have access to the specific DDR5 memory cells that store critical information, they can manipulate electrical charges and reliably cause bit flips, corrupting the data or even elevating their privileges, new Google-backed research has revealed.

Circuit-level vulnerability in dynamic random access memory (DRAM), dubbed RowHammer, was first introduced in 2014. It demonstrates that repeated access to data in one row of memory cells can cause bit flips in nearby rows. The newer chips with denser transistors are even more vulnerable to these types of attacks, which can be performed from software.

Google and researchers from ETH Zurich, a Swiss university, have developed a working exploit capable of hacking desktop systems with DDR5 memory.

ADVERTISEMENT

“We successfully developed custom attack patterns capable of bypassing enhanced TRR (Target Row Refresh) defense on DDR5 memory,” Google said in a blog post.

vilius jurgita Gintaras Radauskas Marcus Walsh profile
Stay informed and get our latest stories on Google News
Google News Follow us

“We were able to create a novel self-correcting refresh synchronization attack technique, which allowed us to perform the first-ever RowHammer privilege escalation exploit on a standard, production-grade desktop system equipped with DDR5 memory.”

The researchers have so far only experimented with a recent AMD Zen processor and SK Hynix DDR5 memory, and continue to test the applicability to other hardware configurations.

The code that triggers bit flips in Phoenix SK Hynix memory, demonstrating the vulnerability, was made publicly available on GitHub.

Have thoughts about this topic? Others do, too. Join them in the discussion.

Google is supporting academic research to help the ecosystem deploy robust defenses.

ADVERTISEMENT

“Our effort has led to the discovery of new attacks and a deeper understanding of Rowhammer on the current DRAM modules, helping to forge the way for further, stronger mitigations.”

Has my data been leaked?
Check Now

How is DRAM flawed?

DRAM stores data in a grid structure: rows of cells, each holding one bit of data as an electrical charge. However, these electric charges leak over time, so the data memory controller periodically refreshes the cells to prevent loss.

ram-structure
Image by ETH Zurich.

“If a cell discharges before the refresh cycle, its stored bit may corrupt. Initially considered a reliability issue, it has been leveraged by security researchers to demonstrate privilege escalation attacks,” Google explains.

What can hackers do to exploit this? Attackers can repeatedly access one memory row to reliably flip bits in neighboring rows. Usually, this results in the memory system’s corruption, halting the system, and causing denial of service.

However, the researchers claim that attackers can also target security-sensitive code to achieve privilege escalation. They can coerce OS or other critical applications into using vulnerable memory parts.

ram-testing
Image by Google.

The researchers at ETH Zurich tested 15 DDR5 modules produced from January 2021 until December 2024 and found that all were vulnerable to bit flipping. This proves that existing defences like Target Row Refresh (TRR) and Error Correcting Code (ECC) are insufficient. ECC modules required longer hammering, but even they accumulated bit flips over time.

ADVERTISEMENT

“All DDR5 devices from SK Hynix, currently the largest DRAM manufacturer, are still vulnerable to a new variant of Rowhammer attacks,” the researchers at ETH Zurich said in a paper.

“Using these bit flips, we build the first Rowhammer privilege escalation exploit that obtains root on a commodity DDR5 system with default settings in as little as 109 seconds.”

The researchers warn that DRAM devices will remain vulnerable for many years to come, because they’re not frequently updated.

Potential mitigation: triple the refresh rate (tREFI)

The study suggests that increasing the refresh rate (tREFI) ultimately stops bit flips.

“We verified that tripling the refresh rate (tREFI ≈ 1.3 us) stops Phoenix from triggering bit flips on our test systems,” the paper reads.

Disclaimer: Increasing tREFI as suggested by researchers carries inherent risks, such as increased power usage, heat output, and potential degradation, and may void your warranty. We are not responsible for any damage to your system that may result from attempting any modifications.

It also seems that vendors are preparing BIOS updates to address the issue for AMD client machines; however, the researchers couldn’t verify if they will be enough to stop potential attackers.

“We were told that a BIOS update for AMD client CPUs has been issued. This BIOS update switches the memory controller’s refresh mode to Fine-Granularity Refresh (FGR). FGR increases the refresh rate, but reduces the time allotted to each refresh command. While it remains to be seen how this change affects Phoenix, we do not think it will provide strong protection,” the paper reads.

ADVERTISEMENT

Google warns that the RowHammer issue remains a widespread problem across the industry. While any potential attack requires a high degree of understanding of memory subsystem architectures, it is not impossible.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT