New tutorial analysis has recognized a number of RowHammer assaults in opposition to high-performance graphics processing models (GPUs) that might be exploited to escalate privileges and, in some instances, even take full management of a host.
The efforts have been codenamed GPUBreach, GDDRHammer, and GeForge.
GPUBreach goes a step additional than GPUHammer, demonstrating for the primary time that RowHammer bit-flips in GPU reminiscence can induce way more than knowledge corruption and allow privilege escalation, and result in a full system compromise.
“By corrupting GPU web page tables through GDDR6 bit-flips, an unprivileged course of can acquire arbitrary GPU reminiscence learn/write, after which chain that into full CPU privilege escalation — spawning a root shell — by exploiting memory-safety bugs within the NVIDIA driver,” Gururaj Saileshwar, one of many authors of the examine and Assistant Professor on the College of Toronto, mentioned in a submit on LinkedIn.
What makes GPUBreach notable is that it really works even with out having to disable the enter–output reminiscence administration unit (IOMMU), a vital {hardware} part that ensures reminiscence security by stopping Direct Reminiscence Entry (DMA) assaults and isolating every peripheral to its personal reminiscence area.
“GPUBreach exhibits it isn’t sufficient: by corrupting trusted driver state inside IOMMU-permitted buffers, we set off kernel-level out-of-bounds writes — bypassing IOMMU protections solely with no need it disabled,” Saileshwar added. “This has critical implications for cloud AI infrastructure, multi-tenant GPU deployments, and HPC environments.”
RowHammer is a long-standing Dynamic Random-Entry Reminiscence (DRAM) reliability error the place repeated accesses (i.e., hammering) to a reminiscence row could cause electrical interference that flips bits (altering 0 to 1m or vice versa) in adjoining rows. This undermines isolation ensures basic to trendy working techniques and sandboxes.
DRAM producers have carried out hardware-level mitigations, comparable to Error-Correcting Code (ECC) and Goal Row Refresh (TRR), to counter this line of assault.
Nonetheless, analysis printed in July 2025 by researchers on the College of Toronto expanded the menace to GPUs. GPUHammer, because it’s known as, is the primary sensible RowHammer assault focusing on NVIDIA GPUs utilizing GDDR6 reminiscence. It employs methods like multi-threaded parallel hammering to beat architectural challenges inherent to GPUs that beforehand made them proof against bit flips.
The consequence of a profitable GPUHammer exploit is a drop in machine studying (ML) mannequin accuracy, which may degrade by as much as 80% when operating on a GPU.
GPUBreach extends this method to deprave GPU web page tables with RowHammer and obtain privilege escalation, leading to arbitrary learn/write on GPU reminiscence. Extra consequentially, the assault has been discovered to leak secret cryptographic keys from NVIDIA cuPQC, stage mannequin accuracy degradation assaults, and procure CPU privilege escalation with IOMMU enabled.
“The compromised GPU points DMA (utilizing the aperture bits in PTEs) right into a area of CPU reminiscence that the IOMMU permits (the GPU driver’s personal buffers),” the researchers mentioned. “By corrupting this trusted driver state, the assault triggers memory-safety bugs within the NVIDIA kernel driver and positive aspects an arbitrary kernel write primitive, which is then used to spawn a root shell.”
This disclosure of GPUBreach coincides with two different concurrent works – GDDRHammer and GeForge – that additionally revolve round GPU page-table corruption through GDDR6 RowHammer and facilitate GPU-side privilege escalation. Simply like GPUBreach, each methods can be utilized to achieve arbitrary learn/write entry to CPU Reminiscence.
The place GPUBreach stands aside is that it additionally permits full CPU privilege escalation, making it a stronger assault. GeForge, specifically, requires IOMMU to be disabled for it to work, whereas GDDRHammer modifies the GPU web page desk entry’s aperture discipline to permit the unprivileged CUDA kernel to learn and write the entire host CPU’s reminiscence.
“One most important distinction is that GDDRHammer exploits the final degree web page desk (PT) and GeForge exploits the final degree web page listing (PD0),” the groups behind the 2 GPU reminiscence exploits mentioned. “Nonetheless, each works are in a position to realize the identical objective of hijacking the GPU web page desk translation to achieve learn/write entry to the GPU and host reminiscence.”
One momentary mitigation to sort out these assaults is to allow ECC on the GPU. That mentioned, it bears noting that RowHammer assaults like ECCploit and ECC.fail have been discovered to beat this countermeasure.
“Nonetheless, if assault patterns induce greater than two bit flips (proven possible on DDR4 and DDR5 techniques), present ECC can not right these and should even trigger silent knowledge corruption; so ECC is just not a foolproof mitigation in opposition to GPUBreach,” the researchers mentioned. “On desktop or laptop computer GPUs, the place ECC is at the moment unavailable, there aren’t any identified mitigations to our data.”
