If you keep up with computers and security, you know that new threats show up every year. Still, some problems come back again and again, even after companies try to fix them. One such problem is called RowHammer. In September 2025, researchers announced a new type of RowHammer attack, known as Phoenix, that works against the latest DDR5 memory chips and can break into secure systems in just a few minutes.
Let us break down how this works and what it really means for people who use computers at home and at work.
Table of Contents
What exactly is RowHammer?
In simple words, RowHammer is a type of computer attack that targets the hardware inside your computer, not just its software. It takes aim at a part called DRAM or Dynamic Random-Access Memory. DRAM chips store a computer’s short-term memory. Every time you open several tabs on your web browser or run heavy software, you are using DRAM.
Attackers found that if you rapidly access, or “hammer,” a single row of memory cells in a DRAM chip, you can cause some of the bits in nearby rows to flip unexpectedly. This means you can change data inside the memory without actually going there on purpose. Think of it like tapping a row of books on a shelf so hard that the books on the next row move out of place.
If a hacker can flip the right bits in memory, he or she can break out of normal restrictions on what the computer can do. This kind of attack can help someone gain higher privileges. For example, a regular user could become an admin or root user. Root access means you have full control of the computer. Even worse, hackers could steal important data like security keys or passwords.
Image Source: X
Why has RowHammer returned in 2025?
The RowHammer problem was first found more than ten years ago, and since then, chip makers like Intel and memory manufacturers have tried to fix it. They improved the memory chips, added extra checks, and made the memory test itself more often to prevent bit flips. One common solution has been to increase the refresh rate of memory rows to keep them stable.
But as technology improved, manufacturers packed memory cells more and more tightly to make the chips faster and hold more data. This close packing has made the chips even more vulnerable to electrical interference. This is where the new Phoenix RowHammer attack comes in.
Now, what is this ‘Phoenix’?
Phoenix is the name given to this latest RowHammer method. Researchers from ETH Zürich revealed that their new attack works on production-grade DDR5 memory chips made by SK Hynix, a top company in the memory business. The attack managed to bypass all the known ways companies tried to defend against RowHammer, including something called on-die ECC or Error Correction Code.
With Phoenix, the researchers showed that anyone could use default system settings, launch the attack, and get root access in under two minutes. The attack received a high severity score of 7.1 out of 10, which means it is a very dangerous finding.
How does the Phoenix RowHammer work?
When tested, the Phoenix attack was able to flip the right bits in the memory quickly. The researchers used it to gain admin rights on a running DDR5 computer, showing that the system’s defences were not enough. With those admin rights, a hacker could do many things — from accessing all data on the system, to stealing cryptographic keys, such as RSA-2048 keys. These keys are used to keep communications safe using SSH, which means an attacker could break into secure connections and steal sensitive information.
The attack is also dangerous in cloud environments. Imagine a virtual machine or VM running on a cloud server. If an attacker uses Phoenix, they could attack memory used by another VM on the same physical server. This means that data which should be protected could leak between customers of cloud services.
Can the affected DDR5 chips be fixed?
Sadly, the answer is no. DRAM chips cannot be updated or patched like ordinary software. If the chip’s design is vulnerable, it will remain open to attacks for many years. Since millions of computers and servers already use these DDR5 chips, a big number of people and businesses could be affected unless new hardware comes out.
The main advice from researchers is to increase the memory refresh rate three times over the standard settings. This means the memory checks and stabilises the data more often, making it hard for Phoenix to successfully flip bits. However, making changes to refresh rates may not be possible on many home computers or would need support from system makers.
After RowHammer was reported the first time in 2014, companies already tried fixes like raising refresh rates and using target row refresh or TRR techniques. But as Phoenix shows, attackers always look for ways around current defences. Remember, RowHammer is a hardware-level security hole, not a virus or software bug. So even the best antivirus program cannot stop it. Only changes to how the hardware works or strict software controls on what code runs on your computer can help prevent these attacks.
