VMScape Spectre-BTI Attack Causes Cloud Isolation Breach on AMD and Intel CPUs.
A team of researchers at ETH Zurich has revealed a new vulnerability called VMScape, which enables a cloud isolation breach by exploiting Spectre-BTI. The finding highlights serious risks in virtualized environments where sensitive host data is assumed to remain protected.
VMScape demonstrates how a malicious virtual machine (VM) can trigger a cloud isolation breach without requiring changes to the host or hypervisor software. The attack manipulates branch target injection (BTI) to misguide the CPU’s branch predictor, eventually leaking secrets such as disk encryption keys from the host.
The vulnerability impacts AMD Zen 1-5 processors and Intel Coffee Lake CPUs, particularly when running KVM/QEMU virtualization. Existing mitigations for Spectre-BTI are not sufficient to prevent this new cloud isolation breach. Researchers recommend the use of IBPB (Indirect Branch Prediction Barrier) upon VM exit, a measure that flushes predictor states with little performance cost.
Cloud providers are particularly vulnerable because VMScape makes it possible to stage a cloud isolation breach from within a standard guest VM. This risk is more severe than other speculative execution flaws that require deeper system control. According to ETH Zurich, systems using default virtualization settings are currently exposed.
The vulnerability has been assigned CVE-2025-40300. Linux kernel maintainers and CPU vendors have already begun preparing fixes to address the VMScape exploit. Security experts emphasize that while mitigation steps are being rolled out, this cloud isolation breach underlines the urgent need for stronger protections in speculative execution and virtual machine boundaries.
In conclusion, VMScape shows that a cloud isolation breach is no longer a theoretical risk but a practical reality. The attack highlights the vulnerability of modern CPUs to sophisticated exploitation methods, even years after Spectre first emerged. Its discovery forces renewed attention on the fragile trust model underpinning global cloud computing, where millions of users rely on shared infrastructure to keep sensitive data safe.
