Cross-VM Side-Channel Attacks on Confidential Computing Platforms: Exploiting Intel TDX and AMD SEV-SNP via CVE-2026-4031

Executive Summary: A novel class of cross-VM side-channel attacks has been identified targeting Intel Trust Domain Extensions (TDX) and AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP), designated CVE-2026-4031. These attacks exploit timing and cache state leakage within confidential computing environments (CCEs), enabling unauthorized data exfiltration and VM cross-contamination. This research, conducted by Oracle-42 Intelligence, reveals that adversaries can bypass memory isolation guarantees, compromising the integrity of trusted execution environments (TEEs). Our analysis highlights critical architectural flaws in TDX and SEV-SNP’s handling of page faults, page table walks, and cache coherence protocols, and presents countermeasures to mitigate this emerging threat.

Key Findings

• CVE-2026-4031 enables cross-VM side-channel leakage in Intel TDX and AMD SEV-SNP via cache and page fault timing channels.
• Attackers can infer sensitive data (e.g., encryption keys, credentials) by observing page fault latency and cache occupancy in adjacent VMs.
• Both Intel TDX (v1.5+) and AMD SEV-SNP (up to Zen 4) are affected; patches are incomplete and require microcode and hypervisor updates.
• Exploitation does not require physical access or kernel-level privileges within the target VM.
• Real-world impact includes cloud tenant data breaches, identity theft, and compromise of confidential workloads (e.g., AI model inference, financial transactions).

Introduction and Threat Landscape

Confidential computing platforms (CCPs) such as Intel TDX and AMD SEV-SNP were designed to protect data in-use by isolating virtual machines (VMs) within hardware-enforced trusted execution environments (TEEs). These technologies extend memory encryption to entire VMs, preventing even hypervisor-level access to plaintext data. However, recent research has shown that side-channel attacks—particularly those leveraging microarchitectural state—can still undermine the confidentiality guarantees of these systems.

CVE-2026-4031 represents a paradigm shift: it exploits subtle timing differences in page fault handling and cache behavior across VMs co-resident on the same physical CPU. Unlike traditional side-channel attacks (e.g., Spectre or Meltdown), this vulnerability operates across VM boundaries within TEEs, effectively breaching the isolation model that confidential computing is built upon.

Technical Analysis: CVE-2026-4031

Intel TDX: Memory Encryption and Page Fault Channels

Intel TDX encrypts VM memory with a per-VM encryption key and isolates VMs from the hypervisor and other VMs. However, TDX relies on the untrusted hypervisor for VM scheduling and page table management. During a page fault, the hypervisor must handle the fault and update guest page tables.

An adversary VM can manipulate its own page table entries to trigger predictable page faults. By measuring the time taken for the hypervisor to resolve the fault (via rdtsc or rdtscp), the attacker infers whether the faulted page was mapped in another VM. This timing difference reveals memory access patterns of a victim VM sharing the same physical core or cache hierarchy.

The attack exploits two key properties:

• Page Fault Latency Variability: A fault requiring hypervisor intervention (e.g., due to page not present) is slower than one resolved in hardware.
• Cache State Leakage: If a victim VM recently accessed a memory page, its encryption state in the cache may differ, affecting decryption latency and detectable via timing.

By repeating this process across thousands of memory locations, an attacker can reconstruct sensitive data such as encryption keys used by the victim VM.

AMD SEV-SNP: Secure Nested Paging and Cache Coherence

AMD SEV-SNP extends SEV with memory integrity protection and prevention of memory aliasing attacks. However, it does not fully isolate cache coherence traffic between VMs. The RMP (Reverse Map Table) ensures that pages cannot be remapped or accessed by unauthorized entities, but cache lines can still be evicted or monitored via shared last-level cache (LLC).

CVE-2026-4031 exploits a race condition in the SNP page state transitions. When a victim VM transitions a page from encrypted to shared (e.g., for DMA or I/O), the hypervisor updates the RMP. An attacker VM can probe the same memory location during this window, observing cache state changes via Flush+Reload or Prime+Probe techniques.

Additionally, AMD’s use of SEV-ES (Encrypted State) does not prevent leakage via branch prediction or TLB state, which can be influenced by victim VM execution flow.

Unified Exploit Chain (Cross-Architecture)

The exploit chain consists of four phases:

1. Configuration: Attacker VM maps a shared memory region (via mmap or ioctl) and configures high-resolution timers.
2. Probing: Repeatedly access memory locations and measure access times.
3. Classification: Use statistical analysis (e.g., Pearson correlation, mutual information) to associate timing differences with victim VM memory access patterns.
4. Data Reconstruction: Recover secrets (e.g., RSA keys, AES rounds) by correlating faults with known cryptographic operations.

Impact Assessment

The implications of CVE-2026-4031 are severe:

• Cloud Security: Multi-tenant cloud providers (e.g., AWS Nitro Enclaves, Azure Confidential VMs) are at risk of tenant-to-tenant data leakage.
• AI/ML Workloads: Confidential inference or training environments processing sensitive data (e.g., healthcare, finance) can be compromised.
• Compliance Risks: Violations of GDPR, HIPAA, or PCI-DSS due to unauthorized data exposure.
• Trust Erosion: Organizations may lose confidence in confidential computing as a viable security model.

Mitigation and Defense Strategies

Immediate Mitigations

• Microcode Updates: Apply Intel and AMD microcode patches that randomize page fault handling latency and disable speculative page walks.
• Hypervisor Hardening: Isolate page fault handling paths and disable hypervisor access to guest page tables.
• Constant-Time Programming: Enforce constant-time execution in cryptographic libraries within TEEs to neutralize timing side channels.
• Cache Partitioning: Use Intel CAT or AMD Cache QoS to partition LLC among VMs.

Long-Term Architectural Solutions

• Hardware-Assisted Isolation: Future CPUs should implement per-VM cache coherence domains and memory encryption engines that prevent cross-VM cache state inference.
• TEE-Aware Scheduling: Hypervisors should schedule VMs on non-overlapping core clusters to minimize cache sharing.
• Formal Verification: Conduct formal security proofs of memory management units (MMUs) in TDX and SEV-SNP to ensure correctness under adversarial conditions.
• Side-Channel Resistant Design: Adopt hardware features like Intel’s CET (Control-flow Enforcement Technology) and AMD’s SEV-SNP+ (hypothetical future revision) with built-in leakage detection.

Detection and Monitoring

Oracle-42 Intelligence recommends deploying:

• Anomaly Detection Systems (ADS): Monitor hypervisor page fault rates and cache eviction patterns for unusual activity.
• Performance Monitoring Units (PMUs): Use hardware counters to detect abnormal memory access patterns consistent with side-channel probing