HECKLER is a new attack that exploits the hypervisor's ability to inject malicious interrupts into confidential VMs (CVMs) running on AMD SEV-SNP and Intel TDX. The attack leverages the hypervisor's control over interrupt management to manipulate the CVM's register states and alter data and control flow. By injecting interrupts, the hypervisor can change the victim VM's data and control flow, bypassing authentication mechanisms and breaking execution integrity. HECKLER targets explicit effect handlers that directly modify registers, impacting the CVM's global state. The attack works by injecting interrupts at specific points in the victim program's execution to induce changes in the application's state. For example, in OpenSSH, HECKLER can bypass authentication by changing the return value of the authentication function, allowing the hypervisor to gain root access. Similarly, in sudo, HECKLER can bypass authentication by altering the return value of the authentication function, allowing the hypervisor to escalate privileges to root. The attack also targets applications with SIGFPE handlers, such as Java statistical analysis tools and Julia text analysis packages. By injecting SIGFPE interrupts, HECKLER can alter the application's behavior, such as changing the mean and covariance in Java or the F-score in Julia. In C-based applications, HECKLER can alter the output of the tanh function, biasing the model's final confusion matrix. To execute HECKLER, the hypervisor must inject interrupts at specific points in the application's execution. This requires identifying the correct physical pages of the functions of interest and timing the interrupt injection to the right core. The attack involves three phases: offline analysis to learn a function that maps page fault patterns to HECKLER gadgets, online analysis to monitor when the CVM reaches a point of interest in its execution, and injecting the interrupt. The attack is effective on both AMD SEV-SNP and Intel TDX, with the latter having insufficient defenses. HECKLER is tracked under two CVEs: CVE-2024-25744 for int 0x80 and CVE-2024-25743 for other interrupts. The attack demonstrates that the confidentiality and integrity guarantees offered by these state-of-the-art TEEs can be compromised.HECKLER is a new attack that exploits the hypervisor's ability to inject malicious interrupts into confidential VMs (CVMs) running on AMD SEV-SNP and Intel TDX. The attack leverages the hypervisor's control over interrupt management to manipulate the CVM's register states and alter data and control flow. By injecting interrupts, the hypervisor can change the victim VM's data and control flow, bypassing authentication mechanisms and breaking execution integrity. HECKLER targets explicit effect handlers that directly modify registers, impacting the CVM's global state. The attack works by injecting interrupts at specific points in the victim program's execution to induce changes in the application's state. For example, in OpenSSH, HECKLER can bypass authentication by changing the return value of the authentication function, allowing the hypervisor to gain root access. Similarly, in sudo, HECKLER can bypass authentication by altering the return value of the authentication function, allowing the hypervisor to escalate privileges to root. The attack also targets applications with SIGFPE handlers, such as Java statistical analysis tools and Julia text analysis packages. By injecting SIGFPE interrupts, HECKLER can alter the application's behavior, such as changing the mean and covariance in Java or the F-score in Julia. In C-based applications, HECKLER can alter the output of the tanh function, biasing the model's final confusion matrix. To execute HECKLER, the hypervisor must inject interrupts at specific points in the application's execution. This requires identifying the correct physical pages of the functions of interest and timing the interrupt injection to the right core. The attack involves three phases: offline analysis to learn a function that maps page fault patterns to HECKLER gadgets, online analysis to monitor when the CVM reaches a point of interest in its execution, and injecting the interrupt. The attack is effective on both AMD SEV-SNP and Intel TDX, with the latter having insufficient defenses. HECKLER is tracked under two CVEs: CVE-2024-25744 for int 0x80 and CVE-2024-25743 for other interrupts. The attack demonstrates that the confidentiality and integrity guarantees offered by these state-of-the-art TEEs can be compromised.