EPISODE · Dec 29, 2025 · 40 MIN
Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM (39c3)
from Chaos Computer Club - recent audio-only feed · host Martin Heckel, Florian Adamsky, Daniel Gruss
Last year at 38c3, we gave a talk titled "Ten Years of Rowhammer: A Retrospect (and Path to the Future)." In this talk, we summarized 10 years of Rowhammer research and highlighted gaps in our understanding. For instance, although nearly all DRAM generations from DDR3 to DDR5 are vulnerable to the Rowhammer effect, we still do not know its real-world prevalence. For that reason, we invited everyone at 38c3 last year to participate in our large-scale Rowhammer prevalence study. In this year's talk, we will first provide an update on Rowhammer research and present our results from that study. A lot has happened in Rowhammer research in 2025. We have evidence that DDR5 is as vulnerable to Rowhammer as previous generations. Other research shows that not only can adversaries target rows, but columns can also be addressed and used for bit flips. Browser-based Rowhammer attacks are back on the table with Posthammer and with ECC. fail, we can mount Rowhammer attacks on DDR4 with ECC memory. In our large-scale study, we measure Rowhammer prevalence in a fully automated cross-platform framework, FlippyR.AM, using the available state-of-the-art software-based DRAM and Rowhammer tools. Our framework automatically gathers information about the DRAM and uses 5 tools to reverse-engineer the DRAM addressing functions, and based on the reverse-engineered functions, uses 7 tools to mount Rowhammer. We distributed the framework online and via USB thumb drives to thousands of participants from December 30, 2024, to June 30, 2025. Overall, we collected 1006 datasets from 822 systems with various CPUs, DRAM generations, and vendors. Our study reveals that out of 1006 datasets, 453 (371 of the 822 unique systems) succeeded in the first stage of reverse-engineering the DRAM addressing functions, indicating that successfully and reliably recovering DRAM addressing functions remains a significant open problem. In the second stage, 126 (12.5 % of all datasets) exhibited bit flips in our fully automated Rowhammer attacks. Our results show that fully automated, i.e., weaponizable, Rowhammer attacks work on a lower share of systems than FPGA-based and lab experiments indicated, but at 12.5%, are still a practical vector for threat actors. Furthermore, our results highlight that the two most pressing research challenges around Rowhammer exploitability are more reliable reverse-engineering tools for DRAM addressing functions, as 50 % of datasets without bit flips failed in the DRAM reverse-engineering stage, and reliable Rowhammer attacks across diverse processor microarchitectures, as only 12.5 % of datasets contained bit flips. Addressing each of these challenges could double the number of systems susceptible to Rowhammer and make Rowhammer a more pressing threat in real-world scenarios. This will be a followup talk after our talk "Ten Years of Rowhammer: A Retrospect (and Path to the Future)" at 38C3. In the talk last year we gave an overview of the current state of Rowhammer and highlighted that there are no large-scale prevalence studies. We wanted to change that and asked the audience to participate in our large-scale study on Rowhammer prevalence. We performed the large-scale study on Rowhammer prevalence thanks to many volunteers supporting our study by measuring their systems. In total, we collected 1006 datasets on 822 different systems (some systems were measured multiple times). We show that 126 of them (12.5%) are affected by Rowhammer with our fully-automated setup. This should be seen as a lower bound, since the preconditions required for effective tools failed on ~50% of the systems. Among many other insights, we learned that the fully-automated reverse-engineering of DRAM addressing functions is still an open problem and we assume the actual number of affected systems to be higher as the 12.5% we measured in our study. Now, one year after our talk at the 38C3, we want to give an update on the current state of Rowhammer, since multiple new insights were published in the last year: The first reliable Rowhammer exploit on DDR5, a JavaScript implementation of Rowhammer that works on current DDR4 systems, and an ECC bypass on DDR4, just to name a few. Additionally, we want to present the results of our large-scale study on Rowhammer prevalence which was supported by the audience from last year's talk. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/rowhammer-in-the-wild-large-scale-insights-from-flippyr-am
What this episode covers
Last year at 38c3, we gave a talk titled "Ten Years of Rowhammer: A Retrospect (and Path to the Future)." In this talk, we summarized 10 years of Rowhammer research and highlighted gaps in our understanding. For instance, although nearly all DRAM generations from DDR3 to DDR5 are vulnerable to the Rowhammer effect, we still do not know its real-world prevalence. For that reason, we invited everyone at 38c3 last year to participate in our large-scale Rowhammer prevalence study. In this year's talk, we will first provide an update on Rowhammer research and present our results from that study. A lot has happened in Rowhammer research in 2025. We have evidence that DDR5 is as vulnerable to Rowhammer as previous generations. Other research shows that not only can adversaries target rows, but columns can also be addressed and used for bit flips. Browser-based Rowhammer attacks are back on the table with Posthammer and with ECC. fail, we can mount Rowhammer attacks on DDR4 with ECC memory. In our large-scale study, we measure Rowhammer prevalence in a fully automated cross-platform framework, FlippyR.AM, using the available state-of-the-art software-based DRAM and Rowhammer tools. Our framework automatically gathers information about the DRAM and uses 5 tools to reverse-engineer the DRAM addressing functions, and based on the reverse-engineered functions, uses 7 tools to mount Rowhammer. We distributed the framework online and via USB thumb drives to thousands of participants from December 30, 2024, to June 30, 2025. Overall, we collected 1006 datasets from 822 systems with various CPUs, DRAM generations, and vendors. Our study reveals that out of 1006 datasets, 453 (371 of the 822 unique systems) succeeded in the first stage of reverse-engineering the DRAM addressing functions, indicating that successfully and reliably recovering DRAM addressing functions remains a significant open problem. In the second stage, 126 (12.5 % of all datasets) exhibited bit flips in our fully automated Rowhammer attacks. Our results show that fully automated, i.e., weaponizable, Rowhammer attacks work on a lower share of systems than FPGA-based and lab experiments indicated, but at 12.5%, are still a practical vector for threat actors. Furthermore, our results highlight that the two most pressing research challenges around Rowhammer exploitability are more reliable reverse-engineering tools for DRAM addressing functions, as 50 % of datasets without bit flips failed in the DRAM reverse-engineering stage, and reliable Rowhammer attacks across diverse processor microarchitectures, as only 12.5 % of datasets contained bit flips. Addressing each of these challenges could double the number of systems susceptible to Rowhammer and make Rowhammer a more pressing threat in real-world scenarios. This will be a followup talk after our talk "Ten Years of Rowhammer: A Retrospect (and Path to the Future)" at 38C3. In the talk last year we gave an overview of the current state of Rowhammer and highlighted that there are no large-scale prevalence studies. We wanted to change that and asked the audience to participate in our large-scale study on Rowhammer prevalence. We performed the large-scale study on Rowhammer prevalence thanks to many volunteers supporting our study by measuring their systems. In total, we collected 1006 datasets on 822 different systems (some systems were measured multiple times). We show that 126 of them (12.5%) are affected by Rowhammer with our fully-automated setup. This should be seen as a lower bound, since the preconditions required for effective tools failed on ~50% of the systems. Among many other insights, we learned that the fully-automated reverse-engineering of DRAM addressing functions is still an open problem and we assume the actual number of affected systems to be higher as the 12.5% we measured in our study. Now, one year after our talk at the 38C3, we want to give an update on the current state of Rowhammer, since multiple new insights were published in the last year: The first reliable Rowhammer exploit on DDR5, a JavaScript implementation of Rowhammer that works on current DDR4 systems, and an ECC bypass on DDR4, just to name a few. Additionally, we want to present the results of our large-scale study on Rowhammer prevalence which was supported by the audience from last year's talk. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/rowhammer-in-the-wild-large-scale-insights-from-flippyr-am
NOW PLAYING
Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM (39c3)
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Feb 8, 2026 ·4m
Jan 30, 2026 ·6m
Jan 2, 2026 ·47m