Researchers have demonstrated a new class of GPU-based Rowhammer attack, dubbed GPUBreach, that goes beyond data corruption and achieves full system compromise, including root-level access.
GPUBreach shows that modern GPUs can be leveraged as a stepping stone for CPU privilege escalation even when standard protections like IOMMU are enabled.
The research was conducted by researchers at the University of Toronto and is scheduled to be presented at the 47th IEEE Symposium on Security & Privacy (Oakland 2026). The team disclosed their findings to NVIDIA on November 11, 2025, and later informed major cloud providers, including Google, AWS, and Microsoft. Google acknowledged the severity of the issue by awarding a bug bounty, while NVIDIA indicated it may update its existing Rowhammer advisory to reflect these findings.
How GPUBreach works
GPUBreach exploits Rowhammer-induced bit flips in GDDR6 memory to corrupt GPU page tables. While earlier work, such as GPUHammer, demonstrated that such bit flips could degrade machine learning model accuracy, this research shows that carefully targeted corruption of page table entries (PTEs) can yield arbitrary read and write access across GPU memory. This enables attackers to manipulate memory across processes and ultimately gain control over GPU execution contexts.
The researchers overcame several technical barriers to make the attack reliable. By reverse-engineering NVIDIA’s driver behavior, they identified how GPU page tables are allocated in contiguous 2-MB regions. They then developed allocation strategies using Unified Virtual Memory (UVM) to densely populate these regions and used a timing side-channel to precisely position page tables near vulnerable memory rows. Once a single bit flip alters a page table entry, attackers can redirect memory mappings and seize control of their own page tables.
The study evaluated the attack against NVIDIA RTX A6000 GPU, a high-end workstation-class device widely used in AI and compute-heavy workloads.
Beyond GPU-level compromise, GPUBreach introduces a critical escalation path to the CPU. By abusing GPU DMA capabilities, specifically through manipulated PTE “aperture bits,” the compromised GPU can write to CPU memory regions explicitly allowed by the IOMMU, such as driver-managed buffers. The attack then targets memory-safety vulnerabilities in the NVIDIA kernel driver, triggering out-of-bounds writes and ultimately achieving an arbitrary kernel write primitive. This chain allows attackers to spawn a root shell on the host system without disabling IOMMU, a protection widely recommended and deployed to mitigate DMA attacks.
The researchers demonstrated several real-world impacts of their technique. These include extracting secret keys from NVIDIA’s cuPQC post-quantum cryptography library when keys reside in GPU memory, stealthily degrading machine learning model accuracy by modifying low-level cuBLAS instructions, and leaking sensitive large language model (LLM) weights. Notably, the attack enables cross-process data access in shared GPU environments, raising concerns for multi-tenant cloud deployments.
Mitigating this class of attacks remains challenging. Enabling ECC (Error-Correcting Code) memory on supported GPUs can help detect or correct some bit flips, and NVIDIA recommends doing so on server-grade hardware like the RTX A6000. However, ECC is not foolproof, particularly against multi-bit flips, and is unavailable on most consumer GPUs. Currently, no comprehensive mitigations exist for desktop and laptop systems.
Leave a Reply