Breaking: NVIDIA GPU Rowhammer Exploits Achieve Complete Host Compromise
Two independent research teams have demonstrated that Rowhammer attacks on NVIDIA Ampere GPUs can give attackers full control of host CPU memory, leading to total system compromise. The attacks, detailed in separate papers released Thursday, exploit bitflips in GDDR6 memory to bypass GPU isolation and gain arbitrary read/write access to the entire machine.
“Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well,” said Andrew Kwong, co-author of the GDDRHammer paper. “With our work, we show how an attacker can induce bit flips on the GPU to gain arbitrary read/write access to all of the CPU’s memory, resulting in complete compromise of the machine.”
A third attack, disclosed Friday, goes further: researchers achieved privilege escalation to a root shell on an RTX A6000—even with IOMMU protection enabled. “This represents a significant escalation,” the researchers noted in their advisory.
Background: What Is Rowhammer and Why GPUs Are Now a Target
Rowhammer is a hardware vulnerability in DRAM where repeated row activations cause bitflips in adjacent rows. Originally demonstrated on CPUs, it has now been proven on GPU GDDR memory. The attacks—GDDRHammer and GeForge—use novel hammering patterns and memory massaging to corrupt GPU page tables.
In the initial variants, the attacks require the IOMMU (Input-Output Memory Management Unit) to be disabled—which is the default in BIOS settings. However, the Friday update shows a third attack that works even with IOMMU enabled, making mitigation more challenging.
Attack Details: From GPU Bitflips to Root Shell
The first paper, GDDRHammer: Greatly Disturbing DRAM Rows – Cross-Component Rowhammer Attacks from Modern GPUs, attacks the last-level page table on RTX 3060 and RTX 6000 cards. Researchers induced bitflips that allowed them to read and write all CPU memory, fully compromising the host.
The second paper, GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit, takes a similar approach but targets the last-level page directory instead. In testing, GeForge induced 1,171 bitflips on the RTX 3060 and 202 bitflips on the RTX 6000. Both attacks culminate in opening a root shell on the host machine, executing commands with unfettered privileges.
The third attack, disclosed Friday on the RTX A6000, achieves the same root shell without relying on a disabled IOMMU. “This shows that even hardware virtualization protections can be bypassed,” the researchers warned.
What This Means: Immediate Security Implications
These attacks present a paradigm shift for GPU security. Previously, GPUs were considered isolated components; now they are a direct vector for host compromise. Data centers, cloud gaming platforms, and systems with NVIDIA Ampere GPUs (RTX 30 series and A6000) are at risk if attackers can run code on the GPU—for instance, via malicious workloads or browser-based WebGPU.
Mitigations will require firmware updates, stricter IOMMU defaults, and potentially hardware changes in future DRAM designs. NVIDIA has not yet commented, but affected users should monitor for patches. In the meantime, enabling IOMMU (even if not a complete fix) and limiting GPU access for untrusted code are prudent steps.
The research underscores that Rowhammer is no longer a CPU-only threat. As GPUs become more general-purpose, their memory vulnerabilities must be treated with equal gravity.