USENIX Security 2026 paper shows a malicious hypervisor can misroute PSP writes via Infinity Fabric to leave AMD SEV-SNP’s RMP uninitialized, fully breaking CVM memory isolation.
Key Takeaways
Attack requires UEFI and hypervisor privileges; attacker skips Infinity Fabric lockdown calls so the fabric remains configurable after SEV-SNP activation.
By dropping PSP writes during SNP_INIT, the RMP retains hypervisor-controlled default entries, giving arbitrary read/write access to CVM memory.
Fabricked is software-only, fully deterministic, 100% success rate, no physical access needed, no code required inside the victim CVM.
Confirmed on Zen 5 EPYC; AMD advisory CVE-2025-54510 also lists Zen 3 and Zen 4 firmware updates, suggesting broader impact.
AMD patched via firmware update (AMD-SB-3034); Intel TDX and Arm CCA are not affected by this specific attack path.
Hacker News Comment Review
Discussion questions whether the economics of confidential computing hold up: bare-metal rental may be cheaper than breach costs for truly sensitive workloads, undermining the shared-cloud CVM model.
