Cache Timing Bypasses Windows 11 KASLR, Reveals Kernel Base

Researchers have found a way to bypass Kernel Address Space Layout Randomization (KASLR) on fully updated Windows 11 systems using a cache timing side-channel attack.

The method, based on the Prefetch Side-Channel technique, exploits Intel CPU cache behavior to reveal the base address of the Windows kernel (ntoskrnl.exe).

By measuring memory access times, attackers can locate the kernel in memory without needing special privileges—posing a serious risk to system security.

How the Side-Channel Attack Works

This attack takes advantage of speculative execution—a CPU feature that guesses and runs instructions early to boost speed. While helpful for performance, it can accidentally leak information into the CPU cache.

The attackers use special instructions like prefetchnta and prefetcht2 to quietly load memory addresses into the cache. Then, they use a timing tool (rdtscp) to measure how fast those addresses can be accessed.

If an address is already in the cache—like the kernel’s base address—it responds faster. By checking thousands of addresses and averaging the results, the attackers can spot which memory areas belong to the Windows kernel.

Cache Attack Shows Kernel Leak Risk on Windows 11

Researchers refined the attack by averaging access times and using thresholds to pinpoint the Windows kernel’s base address. They used CPU instructions like mfence and lfence to ensure accurate timing, making the attack more reliable.

Although no real-world attacks have been seen yet, this shows how hardware optimizations can still be exploited. The code, tested on Windows 11 (build 26100.3775), bypasses previous protections without needing admin rights.

However, the method doesn’t work well in virtual machines like VMware due to how virtualization handles caching.

This finding highlights the ongoing challenge in securing hardware-level processes and calls for stronger protections from Intel and Microsoft in future updates.