A groundbreaking security vulnerability has been uncovered by researchers at the University of Toronto, revealing a novel Rowhammer attack targeting GPUs. This newly identified threat, named GPUBreach, represents a significant escalation in the potential impact of Rowhammer attacks.
Understanding the Rowhammer Technique
Rowhammer is a hardware vulnerability that has been known for over ten years. It exploits the electrical interference generated by repeatedly accessing specific rows of DRAM memory cells, which can lead to bit flips in adjacent memory regions. Traditionally, these attacks have been focused on CPUs and CPU-based memory.
Over the years, Rowhammer has been proven to facilitate unauthorized access, data corruption, and breaches in memory isolation in virtualized environments, posing significant risks to data security.
Expanding Rowhammer to GPUs
With the growing importance of GPUs in AI and machine learning, researchers last year demonstrated a Rowhammer-style attack on Nvidia GPU memory. This attack, termed GPUHammer, was shown to degrade the accuracy of deep neural network models significantly, including those used for visual object recognition.
Building on this, the research team has now demonstrated that GPU Rowhammer attacks can achieve much more, leading to substantial security implications.
The Implications of GPUBreach
GPUBreach allows attackers to induce bit flips in GDDR6 memory, corrupting GPU page tables and thus enabling arbitrary memory access. This can be further exploited by leveraging newly identified memory-safety bugs in Nvidia drivers, allowing for privilege escalation on the CPU side and potentially achieving root shell privileges.
This attack presents a serious threat to cloud environments, where multiple users may share a single physical GPU. Alarmingly, executing such an attack does not require physical access to the hardware, only code execution privileges on the GPU.
The research findings were communicated to Nvidia in November 2025, with the company considering updates to its Rowhammer security advisories. Major cloud providers like Microsoft, AWS, and Google have also been alerted, with Google awarding a $600 bounty for the discovery.
Mitigation and Future Outlook
The researchers suggest that Error-Correcting Code (ECC) memory could offer some mitigation, as it can address single-bit flips and detect double-bit flips. However, they caution that ECC is not foolproof, especially if attack patterns induce multiple bit flips, which ECC cannot correct and may even lead to silent data corruption.
This discovery underscores the critical need for enhanced security measures in GPU hardware and cloud environments, as the potential for remote exploitation without physical access increases the risk profile significantly.
