AMD processors are once again at the center of cybersecurity discussions. A team of researchers from ETH Zurich has uncovered a critical vulnerability called Heracles, which impacts the secure virtualization technology SEV-SNP present in EPYC CPUs used in data centers and public clouds.
This discovery undermines trust in confidential virtual machines (CVM), a cornerstone of cloud security. In theory, these VMs ensure that even the hypervisor—who has full privileges over the infrastructure—cannot access guest memory contents. Heracles shows that this assumption isn’t always valid.
SEV-SNP: the promise of privacy in the cloud
SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging) was developed by AMD to protect VM memory through AES encryption in XEX mode, making data inaccessible even to system administrators or cloud providers.
The “SNP” extension adds integrity to page tables, preventing hypervisor manipulations to inject malicious code. This positioned AMD’s Confidential VMs as a competitive edge against rivals like Intel in confidential computing.
However, ETH Zurich researchers demonstrated that three factors collectively allow a malicious hypervisor to break these guarantees:
- The hypervisor’s ability to read encrypted guest memory.
- The ability to reallocate memory pages within RAM.
- The use of static “tweak” values during re-encryption.
This results in a practical attack called a chosen-plaintext oracle, which can infer sensitive data such as passwords or cryptographic keys by comparing encrypted data and their relocated counterparts.
Real risks for the cloud
Heracles poses a significant threat, especially in environments where virtual machines with AMD EPYC hardware are rented under promises of complete isolation. An attacker with hypervisor privileges could leak data without breaking the encryption algorithm itself, simply exploiting how AMD re-encrypts memory pages.
This means organizations trusting critical workloads to the cloud might expose strategic information, from private keys to authentication tokens.
AMD’s response
The vulnerability was reported to AMD in January 2025. After a six-month coordinated embargo, AMD issued an official statement acknowledging the risk as a known side channel. As mitigation, AMD has proposed measures beyond a full fix:
- Ciphertext Hiding: Available in the fifth-generation EPYC (Turin), this limits the hypervisor’s visibility into encrypted VM data.
- PAGE_SWAP_DISABLE policy: Introduced with SEV-SNP ABI 1.58 (May 2025), which prevents hypervisors from moving guest memory pages.
However, these mitigations reduce flexibility in dynamic memory management, leading to performance penalties in large-scale cloud environments. Essentially, AMD faces a classic trade-off: security versus performance.
AMD vs Intel: a history of critical vulnerabilities
Heracles is not an isolated incident. Both AMD and Intel have a history of serious security flaws over the past decade that have shaken confidence in hardware security:
| Vulnerability | Year | Manufacturer | Main Impact | Severity in Servers |
|---|---|---|---|---|
| Spectre | 2018 | Intel & AMD | Speculative execution leaking data between processes | Very high (industry-wide impact) |
| Meltdown | 2018 | Mainly Intel | Privileged memory access from user processes | Critical (multi-user and cloud environments) |
| Foreshadow (L1TF) | 2018 | Intel | Reading protected memory inside SGX and VM | Critical in virtualization |
| Take A Way | 2020 | AMD | L1 Data cache side-channel attack | Moderate, more theoretical |
| Zenbleed | 2023 | AMD | Leakage of vector registers in Zen 2 | High, with risks in servers |
| Downfall | 2023 | Intel | Reading data from AVX vector registers | High, multiple generations affected |
| Heracles | 2025 | AMD | Data recovery in VMs encrypted with SEV-SNP | Critical in public clouds |
While Intel was at the center of Spectre and Meltdown in 2018, recent years show AMD suffering from architecture-specific vulnerabilities, especially related to secure virtualization. Heracles joins Zenbleed and Take A Way, confirming that no manufacturer is entirely immune.
What’s at stake?
Confidential computing has become a de facto standard in sensitive sectors like finance, healthcare, and defense. Vulnerabilities such as Heracles erode trust in this technology, especially as major cloud providers—Azure, Google Cloud, AWS—expand their catalog of encrypted VMs for regulated clients.
Although exploiting Heracles requires hypervisor privileges (reducing risk for end-users), the fact that a malicious or compromised cloud provider could access supposedly protected data raises significant concerns about the integrity of the digital supply chain.
Conclusion
Heracles is a stark reminder that no system is invulnerable. Cloud privacy guarantees depend on both cryptography and hardware implementation. AMD will need to balance performance and security in future generations, while businesses must implement available mitigations even if they come at a cost to efficiency.
In the ongoing battle for cloud data sovereignty, both AMD and Intel carry scars. Heracles hits particularly close to the core promise of absolute confidentiality that AMD has championed.