"GPUBreach": System takeover with bit flips in Nvidia GPU

Rowhammer attacks were a novelty in 2015: Targeted frequent reading can flip adjacent memory cells in DRAM. This sounds unspectacular at first, but can be misused for unauthorized access to memory areas and, for example, used with the main processor to gain root privileges or break out of a sandbox. IT researchers have now discovered such hardware-based attacks more frequently, and the problem is worse than initially assumed. Last year, IT researchers also demonstrated Rowhammer attacks on the now popular GPUs and called it GPUHammer. Now, IT security researchers show that GPUHammer attacks can not only destroy data, thus compromising machine learning by manipulating weights, but also achieve real privilege escalation.

On a dedicated website, they present their attack called “GPUBreach”. In a brief summary, they explain that by disturbing the GPU page tables, CUDA kernels can read and write arbitrary GPU memory without further privileges. This, in turn, can be linked to the CPU side with newly discovered memory protection errors in the Nvidia drivers. As a result, attackers gain a root shell, with which the system can be fully compromised. For this, the IOMMU (Input-Output Memory Management Unit: CPU interface for address translation with simultaneous DMA access protection, e.g., for connecting PCIe devices) does not need to be deactivated, which makes the attack more dangerous.

Multiple problems through GPUBreach

The IT researchers state that they can demonstrate several attacks on an Nvidia RTX A6000 with GDDR6 RAM. These include GPU-side privilege escalation, which also affects scenarios with multiple processes and time-sharing. Reading secret keys, for example, for post-quantum cryptography with the Nvidia cuPQC library, is said to be possible. The scientists state that they can reduce the LLM accuracy from 80 percent to 0 through memory manipulations. Privilege escalation on the host CPU is said to be possible with DMA accesses, as accesses to GPU driver buffers occur. This can disturb the driver status and exploit an error in the memory protection of the Nvidia kernel driver to gain write access to the kernel, which in turn can open a root shell.

Two further GPU Rowhammer attacks are also to be presented at the symposium. They are called GDDRHammer and GeForge. However, GDDRHammer does not enable privilege escalation to a root shell. GeForge can achieve this, but requires the IOMMU to be switched off, the IT researchers explain.

Real threat

The IT security researchers informed Nvidia as part of a responsible disclosure process and subsequently Google, AWS, and Microsoft. Nvidia responded by announcing a possible update to their security advisory for defending against Rowhammer attacks. Google has offered a reward of $600 for this. To put this in perspective, highly risky security vulnerabilities in Google Chrome are sometimes worth $43,000 to the company. Google therefore does not consider the danger posed by GPUBreach to be particularly high. The risk of such vulnerabilities is usually greatest in cloud environments, where users share computing resources with others. Unauthorized individuals can misuse the attacks there for malicious purposes and gain unauthorized access to third-party resources.

Activating ECC for memory helps as a protective measure. However, if attack patterns can flip more than two bits, which IT researchers say has been demonstrated for DDR4 and DDR5 systems, ECC no longer helps. ECC is typically not available on laptops and desktops anyway, so there is currently no protection on these systems.

Links to the comprehensive PDF and code examples currently lead nowhere. The IT research group intends to activate them when they have presented the GPUBreach attacks at the 47th IEEE Symposium on Security & Privacy in Oakland, starting April 13, 2026.

(dmk)