Confidential computing implementations encrypt guest Virtual Machine (VM) memory to protect workloads from a malicious hypervisor. However, its use of system physical ad dresses as tweak values causes the distribution of ciphertexts at each physical location to mirror the distribution of plaintexts. To exploit this weakness, we propose Relocate-Vote, a novel primitive abusing management commands supported by confidential computing architecture such as SNP_PAGE_MOVE in AMD SEV-SNP. Unlike previous attacks that rely on secret information temporally written into specific locations, Relocate-Vote takes advantage of biases between the prevalent and non-prevalent values in an application’s memory, which are preserved under memory encryption, and uses the spatial distribution of those values to leak sensitive information from confidential VMs. In this work, we demonstrate the generality of the primitive’s application by de-randomizing Address Space Layout Randomization, extracting 3D object data during OpenVDB operations, and leaking token’s information during sparse LLM inference.