Researchers attack AMD's Infinity Fabric to bypass hardware security protections with 'Fabricked' — flaw lets malicious cloud hosts silently read confidential VM memory and forge attestation reports

(Image credit: AMD)

Researchers at ETH Zurich disclosed a software-only vulnerability in April that silently undermines AMD SEV-SNP confidential computing protections on AMD's EPYC platforms, giving a malicious cloud host full read and write access to supposedly protected virtual machine memory. The technique, dubbed “Fabricked,” exploits flaws in how the CPU's Infinity Fabric interconnect handles memory routing during boot — and can forge the cryptographic attestation reports tenants rely on to verify their environment hasn't been tampered with.The researchers presented the findings as part of a USENIX Security 2026 paper, describing the exploit as fully deterministic with a 100% success rate, without a need for physical access and no code execution inside the victim VM.Tom's Hardware Premium RoadmapsConfidential computing exists to address a fundamental trust problem in cloud infrastructure: tenants often have no way to verify that a cloud provider isn't accessing their data. AMD SEV-SNP addresses this by creating hardware-isolated Confidential Virtual Machines, where memory is encrypted and access-controlled by a dedicated on-chip security processor called the PSP. To enforce those boundaries, SEV-SNP relies on a structure called the Reverse Map Table — a per-page access control table stored in memory — which the PSP initializes securely during boot. Attestation, the mechanism by which tenants cryptographically verify their environment is genuine and untampered, depends on that chain holding. This is what Fabricked breaks.The technique hinges on a component most users will never think about: the Infinity Fabric, AMD's internal chiplet interconnect responsible for routing memory traffic between CPU cores, memory controllers, and peripheral devices. Because platform configurations vary across hardware, parts of the Infinity Fabric must be configured during each boot sequence by the motherboard firmware — the UEFI. In AMD's own threat model, that firmware is explicitly untrusted, since cloud providers control it.The researchers found that the UEFI is responsible for issuing two PSP API calls that lock down Infinity Fabric configuration registers after initialization. A malicious UEFI can simply skip them, leaving the Data Fabric — the memory routing layer within Infinity Fabric — writable by the attacker even after SEV-SNP has activated.From there, the exploit leverages a second, subtler flaw. The researchers found that PSP memory requests were incorrectly checked against MMIO routing rules — rules normally reserved for hardware device communication — before standard DRAM routing rules were applied. By configuring those MMIO mappings to shadow the RMP's memory region, the attacker causes the PSP's initialization writes to be silently discarded. The RMP never gets properly set up, but SEV-SNP reports successful initialization anyway. The platform believes the system is secure when it is not.With an uninitialized RMP under attacker control, the hypervisor can read and write arbitrary CVM memory. The researchers demonstrated two concrete exploits: enabling debug mode on a production CVM after attestation — giving the hypervisor the ability to decrypt arbitrary VM memory, undetected by the guest — and forging attestation reports wholesale, allowing a malicious image to pass as a trusted one.Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.The researchers confirmed the exploit on AMD Zen 5 EPYC processors. AMD's advisory also lists firmware updates for Zen 3 and Zen 4, suggesting broader exposure across generations. AMD acknowledged the vulnerability following ETH Zurich's responsible disclosure in August 2025, assigned it CVE-2025-54510, and published security guidance under advisory AMD-SB-3034 when the embargo lifted in April 2026.Organizations running workloads on AMD EPYC-based confidential computing instances should verify with their cloud provider that updated firmware has been deployed. AMD has issued patches covering Zen 3, Zen 4, and Zen 5 platforms. Home users and standard cloud workloads that don't rely on SEV-SNP confidential computing are not affected.