“`html
Saarbrücken, Germany – August 6, 2025 – Security researchers at the CISPA Helmholtz Center for Facts security have discovered a critical vulnerability, dubbed “CFOP” (Control-Flow Obfuscation via Proxies), that allows attackers to bypass modern CPU security mitigations like Intel’s Control-flow Enforcement technology (CET) and Shadow Stack. The flaw resides within the implementation of C++ coroutines by major compilers, possibly impacting a wide range of software.
The research, led by Marcos Sanchez Bajo and Prof. Dr. Christian Rossow, demonstrates that CFOP exploits structural weaknesses in how C++ coroutines are compiled by Clang/LLVM, GCC, and Microsoft Visual C++ (MSVC). While existing protections like Indirect Branch Tracking (IBT) and Control Flow Guard (CFG) offer limited defense, CFOP allows complete circumvention of these safeguards, effectively restoring the attack surface to pre-CFI levels.
C++ coroutines, introduced in the C++20 standard, provide a mechanism for writing asynchronous and non-blocking code more efficiently. Though, Bajo and Rossow found that the way these coroutines are translated into machine code creates exploitable memory structures. Specifically, the proxy functions generated during compilation can be hijacked to redirect control flow, bypassing security checks.
“To defuse this attack technology is not as easy as patching a code – it is a structural problem and you have to rethink the internal functioning of the application,” explained bajo. The researchers have already developed option implementations of C++ coroutines that mitigate the vulnerability and have reported their findings to the compiler developers – Clang/LLVM,GCC,and MSVC – in November 2024.
Understanding Control Flow Integrity (CFI) and the Threat
Control Flow Integrity (CFI) is a security technique designed to prevent attackers from hijacking the execution flow of a program. Modern CPUs, like those from Intel and AMD, incorporate hardware-level CFI mechanisms such as CET, which includes IBT and Shadow Stack. IBT prevents indirect jumps and calls to arbitrary addresses, while Shadow Stack protects return addresses from being overwritten. CFOP circumvents these protections by manipulating the control flow *within* the legitimate structure of the coroutine implementation, rather than directly attacking the CFI mechanisms themselves.
The vulnerability is particularly concerning given the increasing adoption of C++ coroutines in various applications, including web browsers, game engines, and high-performance computing. The researchers emphasize that, as of their findings, the vulnerability has not yet been observed in active exploitation, but the potential for abuse is significant.
The team will present their research at the Black Hat USA conference in Las Vegas on August 7,2025,and their findings will be published in the 34th Usenix Security Symposium in Seattle,WA,USA. The academic paper is available at https://doi.org/10.60882/cispa.28718642.v1.
Scientific Contact:
Marcos Sanchez Bajo and Prof. Dr. Christian Rossow
CISPA Helmholtz Center for Information Security
Stuhlsatzenhaus 5
66123 Saarbrücken
marcos.sanchez-bajo@cispa.de / rossow@cispa.de
Academic Publication:
sanchez Bajo, Marcos; Rossow, Christian (2025) “Await() a Second: Evading Control Flow Integrity by Hijacking C++ Coroutines” In: 34th Usenix Security Symposium (USENIX-Security), 13-15 Aug 2025, Seattle, WA, USA.
