High-performance GPUs, often priced at $8,000 or more, are commonly shared among multiple users in cloud environments—making them attractive targets for attackers. Researchers have now uncovered three new attack techniques that allow a malicious user to gain full root access to a host system by exploiting advanced Rowhammer vulnerabilities in Nvidia GPUs.

These attacks take advantage of a growing weakness in memory hardware known as bit flipping, where stored binary values (0s and 1s) unintentionally switch. First identified in 2014, Rowhammer showed that repeatedly accessing DRAM could create electrical interference, causing such bit flips. By 2015, researchers demonstrated that targeting specific memory rows could escalate privileges or bypass security protections. Earlier exploits focused primarily on DDR3 memory.

Over the past decade, Rowhammer techniques have significantly advanced. Researchers have expanded attacks to newer DRAM types like DDR4, including those with protections such as ECC (Error Correcting Code) and Target Row Refresh. New strategies like Rowhammer feng shui and RowPress allow attackers to precisely target sensitive memory areas. These methods have enabled attacks across networks, extraction of encryption keys, and even compromising Android devices.

Only recently have researchers begun targeting GDDR memory used in GPUs. Initial results were limited, producing minimal bit flips and only affecting neural network outputs. However, new findings mark a major escalation.

Two independent research teams recently demonstrated attacks on Nvidia’s Ampere-generation GPUs that can trigger GDDR memory bit flips capable of compromising CPU memory. This effectively gives attackers complete control over the host machine—provided IOMMU (input-output memory management unit) is disabled, which is typically the default BIOS setting.

“Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well,” said Andrew Kwong, co-author of one of the studies. “GDDRHammer: Greatly Disturbing DRAM Rows—Cross-Component Rowhammer Attacks from Modern GPUs.” “With our work, we… show how an attacker can induce bit flips on the GPU to gain arbitrary read/write access to all of the CPU’s memory, resulting in complete compromise of the machine.”

A third technique, revealed shortly after, further intensifies concerns. Unlike earlier methods, this attack—called GPUBreach—works even when IOMMU protections are enabled.

“By corrupting GPU page tables, an unprivileged CUDA kernel can gain arbitrary GPU memory read/write, and then chain that capability into CPU-side escalation by exploiting newly discovered memory-safety bugs in the NVIDIA driver,” the researchers explained. “The result is system-wide compromise up to a root shell, without disabling IOMMU, unlike contemporary works, making GPUBreach a more potent threat.”

The first method, GDDRHammer, targets Nvidia RTX 6000 GPUs from the Ampere architecture. Using advanced hammering patterns and a technique called memory massaging, it significantly increases the number of bit flips and breaks memory isolation. This allows attackers to gain read and write access to GPU memory and, ultimately, CPU memory.

Kwong emphasized the broader implications:

“What our work does that separates us from prior attacks is that we uncover that Rowhammer on GPU memory is just as severe of a security consequence as Rowhammer on the CPU and that Rowhammer mitigations on CPU memory are insufficient when they do not also consider the threat from Rowhammering GPU memory.

A large body of work exists, both theoretical and widely deployed, on both software and hardware level mitigations against Rowhammer on the CPU. However, we show that an attacker can bypass all of these protections by instead Rowhammering the GPU and using that to compromise the CPU. Thus, going forward, Rowhammer solutions need to take into consideration both the CPU and the GPU memory.”

The second attack, GeForge, operates similarly but targets a different memory structure—the page directory instead of the page table. It successfully triggered over a thousand bit flips on RTX 3060 GPUs, enabling attackers to gain unrestricted system access and execute commands with root privileges.

“By manipulating GPU address translation, we launch attacks that breach confidentiality and integrity across GPU contexts,” the GeForge researchers noted. “More significantly, we forge system aperture mappings in corrupted GPU page tables to access host physical memory, enabling user-to-root escalation on Linux. To our knowledge, this is the first GPUside Rowhammer exploit that achieves host privilege escalation.”

GPUBreach takes a distinct route by exploiting memory-safety flaws in Nvidia’s GPU driver. Even when memory access is restricted by IOMMU, the attack manipulates metadata to trigger unauthorized memory writes, ultimately granting full system control.

All three attacks rely on “memory massaging,” a method used to reposition sensitive data structures into vulnerable memory regions. Normally, GPU page tables are stored in protected areas, but attackers use this technique to relocate them where Rowhammer-induced bit flips can occur.

“Since these page tables dictate what memory is accessible, the attacker can modify the page table entry to give himself arbitrary access to all of the GPU’s memory,” Kwong explained. “Moreover, we found that an attacker can modify the page table on the GPU to point to memory on the CPU, thereby giving the attacker the ability to read/write all of the CPU’s memory as well, which of course completely compromises the machine.”

Researchers confirmed that Nvidia RTX 3060 and RTX 6000 GPUs from the Ampere generation are vulnerable. Enabling IOMMU in BIOS can mitigate some attacks by restricting GPU access to sensitive memory, though it may reduce performance. However, this protection does not stop GPUBreach.

Another safeguard is enabling ECC on GPUs, which helps detect and correct memory errors, though it also impacts performance and may not fully prevent all Rowhammer exploits.

Despite these findings, there have been no confirmed real-world attacks exploiting these vulnerabilities so far. Still, the research highlights serious risks, especially in shared cloud environments, and signals the need for stronger, GPU-inclusive security defenses.