This work reveals, for the first time, that RowHammer hardware mitigation mechanisms—such as PRAC and RFM—can themselves be weaponized to construct timing side channels and covert channels: their induced DRAM bandwidth throttling and latency fluctuations serve as novel carriers for cross-process secret communication. We propose LeakyHammer, a novel attack paradigm integrating DRAM access timing measurement, latency differential analysis, and pattern-driven trigger modeling. By jointly leveraging kernel-level memory scheduler observation and Web-based JavaScript timing channels, we realize a high-throughput covert channel achieving up to 54.0 Kbps on real DDR5 systems, enabling privilege-free website fingerprinting. Our evaluation demonstrates a fundamental security–performance trade-off inherent in mainstream mitigations: enabling these defenses incurs substantial system performance degradation. The findings underscore critical design limitations in current RowHammer countermeasures and expose previously overlooked attack surfaces arising from mitigation-induced microarchitectural side effects.

DRAM chips are vulnerable to read disturbance phenomena (e.g., RowHammer and RowPress), where repeatedly accessing or keeping open a DRAM row causes bitflips in nearby rows, due to DRAM density scaling. Attackers can leverage RowHammer bitflips in real systems to take over systems and leak data. Consequently, many prior works propose mitigations, including recent DDR specifications introducing new mitigation frameworks (e.g., PRAC and RFM). For robustness, it is timely and critical to analyze other security implications that widely-adopted RowHammer mitigations can introduce. Unfortunately, no prior work analyzes the timing channel vulnerabilities introduced by RowHammer mitigations. In this work, we present the first analysis and evaluation of timing channel vulnerabilities introduced by RowHammer mitigations. Our key observation is that RowHammer mitigations' preventive actions have two features that enable timing channels. First, preventive actions often reduce DRAM bandwidth availability because they block access to DRAM, thereby delaying regular memory requests and resulting in increased memory latencies. Second, preventive actions can be triggered on demand as they depend on memory access patterns. We systematically analyze two latest industry mitigations and introduce LeakyHammer, a new class of attacks that leverage the RowHammer mitigation-induced memory latency differences to establish communication channels between processes and leak secrets. First, we build two covert channel attacks exploiting two state-of-the-art RowHammer mitigations, providing 41.9 Kbps and 54.0 Kbps channel capacity. Second, we demonstrate a proof-of-concept website fingerprinting attack that can identify visited websites based on the RowHammer mitigation behavior. We discuss 3 mitigations against LeakyHammer and show that fundamentally mitigating LeakyHammer induces significant performance overheads.