Back to News
News

GPUBreach GDDR6 RowHammer Enables GPU to CPU Privilege Escalation on NVIDIA

CyberSecurityWaala 4 days ago Apr 7, 2026
GPUBreach GDDR6 RowHammer Enables GPU to CPU Privilege Escalation on NVIDIA

Researchers at the University of Toronto disclosed a new and worrying attack against modern GPUs. They call it GPUBreach. The method uses RowHammer on GDDR6 memory to flip bits in GPU page tables. The result can be more than corrupted data. It can enable [full system compromise](/blog/threat-vs-vulnerability-vs-risk-vs-exploit/).

How the attack works

RowHammer is a fault where repeated reads to one DRAM row cause electrical interference in nearby rows. That interference can flip bits. This problem is well-known in system DRAM. The University of Toronto team showed it applies to GPU GDDR6 memory as well. They built on prior work called GPUHammer to make the attack practical against high-performance cards.

The exploit chain is straightforward in concept. An unprivileged CUDA kernel performs targeted hammering to produce bit flips in GPU page table entries. Those corruptions can change how the GPU translates addresses. That lets the attacker gain arbitrary GPU memory read and write access [link].

Gururaj Saileshwar, Assistant Professor at the University of Toronto and one of the study authors, explained the critical step. “By corrupting GPU page tables via GDDR6 bit-flips, an unprivileged process can gain arbitrary GPU memory read/write, and then chain that into full CPU privilege escalation by exploiting memory-safety bugs in the NVIDIA driver,” he said.

Why IOMMU does not stop this

IOMMU is supposed to prevent device-driven attacks by restricting DMA to permitted regions. The paper shows that IOMMU alone is not sufficient. The researchers wrote that the compromised GPU issues DMA into CPU memory regions that the IOMMU allows. Those are typically the GPU driver’s own buffers. Corrupting trusted driver state in those buffers can trigger memory-safety bugs in the kernel driver. That leads to arbitrary kernel writes and a root shell without disabling IOMMU.

Saileshwar noted, “GPUBreach shows it is not enough: by corrupting trusted driver state within IOMMU-permitted buffers, we trigger kernel-level out-of-bounds writes bypassing IOMMU protections entirely.” He added that the finding has serious implications for cloud AI infrastructure, multi-tenant GPU deployments, and HPC environments.

Other related work and differences

The disclosure coincides with two other projects called GDDRHammer and GeForge. Those works also manipulate GPU page tables via GDDR6 RowHammer. All three achieve arbitrary read and write access to GPU and host memory in some configurations.

The teams said that GDDRHammer and GeForge target different page-table structures. “One main difference is that GDDRHammer exploits the last level page table and GeForge exploits the last level page directory, however both works are able to achieve the same goal of hijacking the GPU page table translation,” the researchers wrote. GPUBreach stands apart because it demonstrates a practical path to full CPU privilege escalation with IOMMU left enabled.

Scope, examples, and impact

The University of Toronto team demonstrated the technique on an NVIDIA RTX A6000 with GDDR6. That GPU is common in AI model training. The researchers warned attackers could use the technique to leak cryptographic keys, corrupt ML models to reduce accuracy, or gain root on hosts used for cloud AI.

Earlier GPUHammer research had shown model accuracy could drop by up to 80 percent when bits were flipped. GPUBreach shows an even higher risk because it can convert a GPU memory attack into a host takeover.

Mitigations and limits

Manufacturers use error-correcting code (ECC) memory and other mitigations to reduce RowHammer impact. The researchers said ECC can correct single-bit errors and detect some double-bit errors. But they warned that multi-bit flips can bypass ECC. They cited prior RowHammer work that defeated ECC in DDR systems and said ECC is not a foolproof countermeasure for GPUBreach.

For consumer GPUs that lack ECC, the paper notes there are no known mitigations at the time of disclosure. The researchers reported their findings to NVIDIA, Google, AWS, and Microsoft on November 11, 2025. Google acknowledged the report and awarded a bug bounty. NVIDIA told the community it may update its July 2025 security notice and recommends enterprise customers enable System Level ECC where available.

What to watch for next

The team will publish full technical details and code at the IEEE Symposium on Security and Privacy on April 13. Organizations that run shared GPU infrastructure should assume GPU RowHammer can do more than corrupt results. It can be a route into the host. The University of Toronto researchers stressed layered defenses and vendor patches will be needed to reduce risk.

#GPUBreach #RowHammer #GDDR6 #GPUsecurity #NVIDIA #PrivilegeEscalation