New Rowhammer Exploits Target Nvidia GPUs with Full System Compromise Potential

In a groundbreaking escalation of memory-based cyberattacks, three independent research teams have demonstrated how attackers can seize full control of host machines by exploiting vulnerabilities in high-performance Nvidia GPUs. The attacks—dubbed GDDRHammer, GeForge, and GPUBreach—leverage a decade-old technique called Rowhammer to flip critical bits in GPU memory, tricking systems into granting unauthorized root-level access. While Rowhammer has historically targeted CPU memory, these new exploits focus on GDDR memory used in Nvidia’s Ampere-generation GPUs, including the RTX 3060 and RTX 6000, potentially exposing cloud computing environments where these $8,000+ cards are shared among multiple users.

What Is Rowhammer? The Decade-Old Memory Attack Reshaping GPU Security

Rowhammer is a class of hardware vulnerability that exploits the physical properties of DRAM (dynamic random-access memory). First documented by researchers in 2014, the attack works by rapidly accessing (or "hammering") specific rows of memory, causing electrical interference that flips bits from 0 to 1 or vice versa. This phenomenon, known as a bit flip, can corrupt critical data structures like page tables—essentially the roadmaps that operating systems use to locate and access memory. When attackers manipulate these structures, they can redirect memory access to unauthorized locations, bypassing security boundaries and escalating privileges from a standard user to system administrator (root).

From DDR3 to GDDR: How Rowhammer Evolved Across Memory Types

Initially confined to DDR3 memory, Rowhammer attacks have since expanded to target DDR4, LPDDR4, and even error-correcting code (ECC) protected systems. In 2023, researchers achieved the first successful Rowhammer exploitation of GDDR memory—the high-speed memory used in GPUs—though their initial results were limited. That breakthrough revealed eight bitflips on an Nvidia GPU, a modest impact compared to CPU-focused attacks. However, the latest trio of exploits marks a seismic shift, demonstrating that GDDR-based Rowhammer can achieve catastrophic outcomes.

The Three Attacks: How GDDRHammer, GeForge, and GPUBreach Work

The three attacks, revealed over the span of a week in April 2024, employ distinct but related techniques to compromise Nvidia GPUs. Each exploits the same fundamental vulnerability: the susceptibility of GDDR memory to bit flips when subjected to carefully crafted memory access patterns. The end goal for all three is identical—manipulating GPU page tables to gain read/write access to CPU memory, ultimately seizing full control of the host system.

GDDRHammer: Memory Massaging and Page Table Sabotage

GDDRHammer, published by a team including Andrew Kwong of the University of Michigan, focuses on the RTX 6000 GPU. The researchers developed a technique called "memory massaging" to bypass a key security feature in Nvidia’s GPU driver: reserved regions of memory where page tables are stored to prevent Rowhammer interference. By inducing bit flips in adjacent memory rows, the team steered page tables into vulnerable regions, then flipped bits within those tables to corrupt their mappings.

Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well. With our work, we… show how an attacker can induce bit flips on the GPU to gain arbitrary read/write access to all of the CPU’s memory, resulting in complete compromise of the machine.

The attack achieved an average of 129 bitflips per memory bank—a 64-fold increase over the 2023 GPUHammer demonstration. More critically, GDDRHammer demonstrated the ability to break the isolation between GPU and CPU memory, allowing attackers to read and write to host system memory. The exploit works only when the IOMMU (input-output memory management unit) is disabled—a default setting in most BIOS configurations.

GeForge: Forging GPU Page Tables to Escalate Privileges

The GeForge attack, detailed in a separate paper, targets both the RTX 3060 and RTX 6000 GPUs. Unlike GDDRHammer, which manipulates the last-level page table, GeForge focuses on the last-level page directory within GDDR6 memory. The team, led by Zhenkai Zhang, developed a sophisticated memory massaging routine to isolate and corrupt specific page directory entries. This corruption allows the attacker to forge page tables, redirecting memory access across the system.

By manipulating GPU address translation, we launch attacks that breach confidentiality and integrity across GPU contexts. More significantly, we forge system aperture mappings in corrupted GPU page tables to access host physical memory, enabling user-to-root escalation on Linux.

In a proof-of-concept demonstration, the GeForge exploit culminated in opening a root shell on the host machine, granting the attacker unfettered command execution. The team noted that both the RTX 3060 and RTX 6000 are vulnerable, and like GDDRHammer, the attack is neutralized by enabling IOMMU.

GPUBreach: Bypassing IOMMU with Driver Exploits

The third attack, GPUBreach, takes a different approach by exploiting memory-safety vulnerabilities in Nvidia’s GPU driver itself. Even when IOMMU is enabled—a configuration that typically restricts GPU access to sensitive memory regions—GPUBreach corrupts metadata within permitted buffers. This corruption triggers out-of-bounds writes in the driver, which runs at kernel privilege on the CPU. The result: attackers can execute arbitrary code with root permissions, completely bypassing IOMMU protections.

By corrupting metadata within those permitted buffers, causing the driver (running at kernel privilege on the CPU) to perform out-of-bounds writes that the attacker controls—bypassing IOMMU protection without needing it disabled.

The GPUBreach researchers emphasized that their technique does not require disabling IOMMU, making it potentially more dangerous in default settings. This exploit also relies on memory massaging and targets the RTX A6000 GPU, demonstrating that Rowhammer-based attacks can be effective even in environments with robust security configurations.

Why These Attacks Matter: The Cloud, Security, and the Future of GPU Security

The implications of these exploits extend far beyond individual workstations. High-performance Nvidia GPUs, particularly the RTX 3060 and RTX 6000, are staples in cloud computing environments where they power everything from AI training to graphics rendering. Cloud providers often share these expensive cards among multiple users, creating a shared-resource model ripe for exploitation. If an attacker gains control of a GPU in such an environment, they could potentially access the memory of other users on the same machine—a scenario reminiscent of the Spectre and Meltdown vulnerabilities that rocked the industry in 2018.

The Role of IOMMU and ECC in Mitigating Risks

The IOMMU is a hardware component that maps device-visible virtual addresses to physical addresses in host memory, effectively creating a barrier between device and system memory. While disabling IOMMU by default improves compatibility and performance, it leaves systems vulnerable to GPU-based Rowhammer attacks. Enabling IOMMU closes this gap by restricting GPU memory access, but it comes with a performance overhead due to increased address translation latency.

Error Correcting Codes (ECC) offer another layer of defense by detecting and correcting bit flips in memory. Nvidia supports ECC on supported GPUs, though enabling it reduces the available memory capacity and introduces a minor performance penalty. However, recent research has shown that some Rowhammer attacks can bypass ECC protections, particularly when attackers target specific bit patterns or use advanced hammering techniques. Neither IOMMU nor ECC is a silver bullet, underscoring the need for holistic security strategies.

Key Takeaways: What Users and Organizations Need to Know

• Three novel Rowhammer attacks—GDDRHammer, GeForge, and GPUBreach—demonstrate that Nvidia’s Ampere-generation GPUs (RTX 3060, RTX 6000, and RTX A6000) are vulnerable to full system compromise through GPU memory exploitation.
• The attacks exploit GDDR memory, a high-speed memory type used in GPUs, to flip bits in page tables, allowing attackers to read and write to CPU memory, escalate privileges, and gain root access.
• Default security settings (disabled IOMMU) make systems highly susceptible, while enabling IOMMU or ECC can mitigate—but not eliminate—risks.
• Cloud environments, where GPUs are shared among multiple users, face heightened exposure to these attacks, though no known real-world exploits have been documented.
• Security researchers emphasize that GPU-focused Rowhammer attacks represent a new frontier in hardware vulnerabilities, requiring coordinated responses from hardware manufacturers, OS developers, and cloud providers.

Nvidia’s Response and the State of GPU Security

Nvidia has acknowledged the vulnerabilities in a statement published in July 2023 in response to the earlier GPUHammer attack. The company directs users to its security guidance page for information on mitigating risks, though it has not publicly detailed specific fixes or patches. In an emailed statement, an Nvidia representative declined to elaborate on the company’s plans, instead directing users to existing documentation.

The broader GPU security landscape remains under scrutiny. While Nvidia dominates the high-performance GPU market, competitors like AMD and Intel also use GDDR memory in their products. There is no public evidence that these companies’ GPUs are vulnerable to the same exploits, but the lack of transparency and the rapid pace of academic research make it difficult to rule out similar vulnerabilities. Historically, hardware vulnerabilities often take years to surface, only to be exploited widely once discovered.

The Broader Context: Why GPU Security Is a Growing Concern

The rise of GPU-based attacks reflects broader trends in cybersecurity: the increasing complexity of hardware, the proliferation of shared computing resources, and the expanding attack surface in cloud environments. GPUs are no longer just graphics processors; they are the engines powering artificial intelligence, scientific computing, and cryptocurrency mining. As their role grows, so too does their attractiveness as targets for cybercriminals and nation-state actors.

The Rowhammer technique, once a niche academic curiosity, has evolved into a potent weapon capable of undermining even the most robust security architectures. The latest GPU exploits demonstrate that hardware vulnerabilities are not confined to CPUs or memory modules—they can lurk in specialized components like GPUs, waiting to be discovered and weaponized.

What’s Next? Mitigation, Research, and the Future of Secure Hardware

For now, users and organizations can take several steps to reduce risk. Enabling IOMMU in BIOS settings is the most effective mitigation, though it may impact performance. Enabling ECC on supported GPUs adds another layer of protection, though it is not foolproof. Regularly updating GPU drivers and operating systems to the latest versions can also help address known vulnerabilities.

Hardware manufacturers, including Nvidia, are likely to respond with firmware updates, driver patches, or architectural changes to mitigate Rowhammer risks. However, the history of hardware vulnerabilities suggests that such measures may only slow attackers rather than stop them entirely. The research community must continue probing GPU memory for weaknesses, while cloud providers and enterprises should reassess their shared-resource models in light of these findings.

Conclusion: A Wake-Up Call for GPU Security

The discovery of GDDRHammer, GeForge, and GPUBreach marks a turning point in the evolution of hardware-based attacks. These exploits prove that Rowhammer is not just a CPU problem—it is a systemic vulnerability that spans the entire computing ecosystem. For Nvidia, cloud providers, and security researchers alike, the message is clear: the age of treating GPUs as black boxes immune to memory-based attacks is over. The path forward requires collaboration, transparency, and a commitment to building hardware that is secure by design—not just by default.

Frequently Asked Questions