New academic research from the University of Toronto has revealed a critical series of attacks targeting high-performance GPUs using GDDR6 memory. The attacks, codenamed GPUBreach, GDDRHammer, and GeForge, exploit RowHammer vulnerabilities to escalate privileges on affected systems, with GPUBreach demonstrating the ability to achieve full CPU privilege escalation. This represents a significant advancement beyond previous GPU-targeted exploits such as GPUHammer, which primarily caused data corruption and performance degradation in machine learning workloads.
GPUBreach functions by inducing bit-flips in GPU page tables through repeated memory access patterns, enabling an unprivileged process to gain arbitrary read and write access to GPU memory. Researchers have shown that this can then be chained into CPU-level privilege escalation by exploiting memory-safety flaws in NVIDIA kernel drivers, allowing attackers to spawn root shells and compromise the host system. Remarkably, this attack works even with the input–output memory management unit (IOMMU) enabled, a hardware component that normally isolates devices and prevents direct memory access attacks. By corrupting trusted driver state within IOMMU-permitted buffers, GPUBreach bypasses these protections entirely, raising serious security concerns for cloud AI infrastructure, multi-tenant GPU deployments, and high-performance computing environments.
RowHammer is a longstanding DRAM reliability issue where repeated accesses to memory rows induce electrical interference, flipping bits in adjacent rows and undermining isolation guarantees. While DRAM manufacturers have implemented mitigations such as Error-Correcting Code (ECC) and Target Row Refresh (TRR), the GPUBreach study highlights that these measures are not foolproof. Prior research demonstrated GPUHammer, which exploited multi-threaded parallel hammering to flip bits in NVIDIA GPUs running GDDR6 memory, resulting in reduced accuracy for machine learning models. GPUBreach extends these techniques, corrupting GPU page tables to allow arbitrary memory access and leaking cryptographic keys, degrading model performance, and ultimately enabling CPU privilege escalation.
The research coincides with GDDRHammer and GeForge, concurrent works that also leverage GPU page-table corruption to escalate privileges. While GDDRHammer modifies GPU page table entries to allow unprivileged CUDA kernels to access all host memory and GeForge requires IOMMU to be disabled, GPUBreach stands out by enabling full CPU privilege escalation even with IOMMU protections in place. Temporary mitigation includes enabling ECC on GPUs, but researchers caution that multiple bit-flip attacks can bypass ECC, causing silent data corruption. On desktop or laptop GPUs where ECC is unavailable, no effective mitigations currently exist. These findings highlight a growing security challenge for AI infrastructure and GPU-dependent workloads, emphasizing the need for stronger hardware and software safeguards against RowHammer attacks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
