Executive Summary

The StackWarp vulnerability (CVE-2025-29943) represents a critical threat to the integrity of confidential computing environments leveraging AMD Zen 1–5 processors with Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). This hardware-level flaw enables a privileged adversary, such as a malicious hypervisor or compromised cloud provider, to deterministically manipulate the stack pointer of a guest virtual machine. By exploiting a synchronization bug in the stack engine, attackers can subvert the core isolation guarantees of SEV-SNP, leading to remote code execution, privilege escalation, and cryptographic key extraction within protected VMs. The impact is particularly severe for cloud service providers, managed hosting, and organizations relying on confidential computing in multi-tenant or untrusted environments. Immediate mitigation is essential to preserve the confidentiality and integrity of sensitive workloads.

Technical Information

StackWarp is rooted in a subtle yet profound architectural flaw in the speculative stack engine of AMD Zen 1, Zen 2, Zen 3, Zen 4, and Zen 5 CPUs supporting SEV-SNP. The vulnerability is cataloged as a CWE-123 (Write-what-where Condition) and is tracked as CVE-2025-29943. The attack requires administrative or root-level privileges on the host, making it most relevant in scenarios where the hypervisor or cloud provider is potentially untrusted or compromised.

The core of the vulnerability lies in the improper synchronization of bit 19 in the undocumented core-scoped MSR 0xC0011029, which controls the stack engine. The stack engine is designed to optimize performance by speculatively tracking stack pointer changes in the CPU frontend. However, when bit 19 is toggled from a sibling hyperthread, the stack pointer updates can be "frozen" and later "released," allowing an attacker to inject a chosen offset into the guest VM’s stack pointer. This deterministic corruption of the stack pointer enables precise control or data flow hijacking, all without the need to decrypt guest memory.

Proof-of-concept exploits have demonstrated the practical impact of StackWarp. In one scenario, the attacker manipulates the stack pointer during an OpenSSH password check, causing the authentication function to return a value interpreted as a successful login, thereby granting unauthorized access. Another exploit targets the getuid() system call, tricking the kernel into believing the user is root and enabling privilege escalation. A third proof-of-concept induces faulty cryptographic operations, such as RSA signatures, allowing the attacker to recover private keys from a single faulty signature. These attacks are enabled by the deterministic and precise nature of the stack pointer manipulation, which is unique to this hardware-level flaw.

The official cispa/StackWarp GitHub repository provides detailed proof-of-concept code and technical documentation, including minimal PoCs, architectural tests, and exploit scripts targeting cryptographic and authentication primitives.

The CVSS v4.0 score assigned by AMD is 4.6 (Medium), reflecting the requirement for privileged access. However, the real-world impact in cloud and confidential computing environments is far more severe, as the attack undermines the very foundation of SEV-SNP’s threat model.

Detection of StackWarp exploitation is inherently challenging. As a hardware/architectural attack, it does not leave traditional malware traces or direct indicators of compromise. Security teams should monitor for unexpected stack pointer changes, segmentation faults, or abnormal authentication and privilege escalation events within SEV-SNP-protected VMs.

Exploitation in the Wild

As of the latest intelligence, there are no confirmed reports of StackWarp being exploited in the wild. The attack surface is primarily limited to environments where an adversary can obtain host-level administrative privileges, such as cloud service providers, managed hosting platforms, or compromised hypervisors. The threat model is most acute for organizations relying on SEV-SNP to protect sensitive workloads in multi-tenant or untrusted infrastructure. While no public exploitation has been observed, the availability of detailed proof-of-concept code and the high value of confidential computing targets significantly elevate the risk of future attacks.

APT Groups using this vulnerability

There is currently no public attribution of StackWarp exploitation to any known advanced persistent threat (APT) group or nation-state actor. However, the technical sophistication required to discover and weaponize this vulnerability aligns with the capabilities of nation-state or highly advanced adversaries. The attack is most relevant to threat actors with access to cloud infrastructure or the ability to compromise hypervisors at scale. Given the strategic value of confidential computing environments, it is reasonable to anticipate that APT groups and state-sponsored actors will seek to incorporate StackWarp into their toolkits as awareness and understanding of the vulnerability proliferate.

Affected Product Versions

StackWarp affects a broad range of AMD Zen 1–5 processors with SEV-SNP support. The impacted product lines include:

The affected server CPUs are EPYC 7003 Series (Milan, Milan-X), EPYC 8004 Series (Siena), EPYC 9004 Series (Genoa, Genoa-X, Bergamo), and EPYC 9005 Series (Turin, Turin Dense). Embedded variants such as EPYC Embedded 7003, 8004, 9004 (Genoa, Bergamo), and 9005 are also impacted. The official AMD Security Bulletin AMD-SB-3027 provides detailed microcode and platform initialization (PI) versions for each affected product. Notably, Ryzen and Threadripper consumer lines are not listed as affected in the official bulletin.

Mitigation is available via hot-loadable microcode updates for all affected CPUs. The release dates for these updates range from July 2025 to April 2026, depending on the product line and platform. Organizations should consult the official AMD bulletin for the precise microcode or PI version applicable to their hardware.

Workaround and Mitigation

AMD has released hot-loadable microcode patches for all affected CPUs, as detailed in AMD-SB-3027. Organizations should apply these updates as soon as they become available for their specific hardware and platform. As an immediate mitigation, disabling Simultaneous Multithreading (SMT) on SEV-SNP hosts is highly effective, as it prevents the cross-thread manipulation required for the attack. Cloud providers and managed hosting platforms should prioritize the deployment of microcode updates and consider disabling SMT until all systems are fully patched.

Security teams should also monitor for anomalous stack pointer behavior, segmentation faults, and unexpected authentication or privilege escalation events within SEV-SNP-protected VMs. While direct indicators of compromise are unlikely due to the hardware nature of the attack, behavioral monitoring and anomaly detection can provide early warning of potential exploitation attempts.

References

For further technical details and official guidance, consult the following resources:

StackWarp Official Research Site, CVE-2025-29943 NVD Entry, cispa/StackWarp GitHub, AMD Security Bulletin AMD-SB-3027, Reddit: r/cybersecurity StackWarp Discussion, The Hacker News: New StackWarp Hardware Flaw.

Rescana is here for you

Rescana is committed to empowering organizations with actionable threat intelligence and robust third-party risk management. Our TPRM platform enables you to continuously monitor, assess, and mitigate cyber risks across your entire supply chain and digital ecosystem. We are dedicated to helping you stay ahead of emerging threats like StackWarp and ensuring the resilience of your critical infrastructure. For any questions, further technical details, or to discuss how Rescana can support your security posture, please contact us at ops@rescana.com.