New academic research has identified multiple RowHammer attacks against high-performance graphics processing units (GPUs) that can be exploited to escalate privileges and, in some cases, take complete control of the host.
The efforts are codenamed GPUBreach, GDDRHammer, and GeForge.
GPUBreach goes a step further than GPUHammer by demonstrating for the first time that RowHammer bitflips in GPU memory can cause far more than data corruption, enable privilege escalation, and lead to system-wide compromise.
“By corrupting the GPU page table via a GDDR6 bitflip, an unprivileged process can gain read/write access to arbitrary GPU memory and exploit memory safety bugs in NVIDIA drivers that can cascade into full CPU privilege escalation (spawning a root shell),” Gururaj Saileshwar, one of the study authors and an assistant professor at the University of Toronto, said in a post on LinkedIn.
What’s interesting about GPUBreach is that it works without disabling the input/output memory management unit (IOMMU). The IOMMU is a critical hardware component that prevents direct memory access (DMA) attacks and ensures memory security by isolating each peripheral into its own memory space.
“GPUBreach shows that that is not enough. By corrupting trusted driver state within IOMMU-allowed buffers, it triggers kernel-level out-of-bounds writes, completely bypassing IOMMU protections without disabling them,” Saileshwar added. “This has serious implications for cloud AI infrastructure, multi-tenant GPU deployments, and HPC environments.”
RowHammer is a long-standing dynamic random access memory (DRAM) reliability error in which repeated accesses (hammering) to a memory row can cause electrical interference that flips bits in adjacent rows (from 0 to 1m, or vice versa). This breaks the isolation guarantees that are the basis of modern operating systems and sandboxes.
DRAM manufacturers have implemented hardware-level mitigations such as error correction codes (ECC) and target row refresh (TRR) to combat this line of attack.
However, a study published in July 2025 by researchers at the University of Toronto extended the threat to GPUs. GPUHammer, as the name suggests, is the first practical RowHammer attack targeting NVIDIA GPUs using GDDR6 memory. We employ techniques such as multithreaded parallel hammering to overcome architectural challenges inherent in GPUs that were previously insensitive to bit flipping.
Successful exploitation of GPUHammer can reduce the accuracy of machine learning (ML) models by up to 80% when run on GPUs.
GPUBreach extends this approach to use RowHammer to corrupt GPU page tables and achieve privilege escalation, resulting in arbitrary reads/writes on GPU memory. Additionally, the attack revealed that the attack could result in the disclosure of private cryptographic keys from NVIDIA cuPQC, model degradation attacks, and CPU privilege escalation with IOMMU enabled.
“A compromised GPU issues DMA (using the PTE’s aperture bit) to an area of CPU memory (the GPU driver’s own buffer) that the IOMMU allows,” the researchers said. “By corrupting the state of this trusted driver, the attack triggers a memory safety bug in the NVIDIA kernel driver to obtain arbitrary kernel write primitives, which are then used to generate a root shell.”
This GPUBreach disclosure comes at the same time as two other concurrent efforts, GDDRHammer and GeForge, that revolve around GPU page table corruption by GDDR6 RowHammer and facilitate privilege escalation on the GPU side. Similar to GPUBreach, both techniques can be used to obtain arbitrary read/write access to CPU memory.
What sets GPUBreach apart is that it also allows full escalation of CPU privileges, making it a more powerful attack. Specifically, GeForge requires IOMMU to be disabled to work, while GDDRHammer modifies the aperture field of GPU page table entries to allow unprivileged CUDA kernels to read and write all of the host CPU’s memory.
“One of the main differences is that GDDRHammer utilizes the final level page table (PT) and GeForge utilizes the final level page directory (PD0),” said the team that helped utilize the two GPU memories. “However, both works can achieve the same goal of hijacking GPU page table translations to gain read/write access to GPU and host memory.”
One temporary mitigation to address these attacks is to enable ECC on the GPU. However, it is worth noting that RowHammer attacks such as ECCploit and ECC.fail have been found to overcome this countermeasure.
“However, if the attack pattern induces two or more bit flips (which has been shown to be viable on DDR4 and DDR5 systems), existing ECC cannot fix these and may even cause silent data corruption. Therefore, ECC is not a reliable mitigation against GPUBreach,” the researchers said. “For desktop or laptop GPUs where ECC is not currently available, there are no known mitigations to our knowledge.”
Source link
