Key Findings

• New RowHammer attack called GPUBreach exploits GDDR6 memory bit-flips in NVIDIA GPUs to achieve full CPU privilege escalation and system compromise

• Attack corrupts GPU page tables to grant arbitrary GPU memory read/write access to unprivileged processes

• Uniquely bypasses IOMMU protections without requiring them to be disabled, unlike competing attacks

• Researchers demonstrated the exploit on NVIDIA RTX A6000 GPU, spawning a root shell on the host system

• Current mitigations are insufficient; consumer GPUs without ECC have no known defenses

• Concurrent research (GDDRHammer and GeForce) achieves similar GPU-side escalation but GPUBreach is the only one achieving full CPU privilege escalation

Background

RowHammer has been a known vulnerability in DRAM for years, where repeated memory access causes electrical interference that flips bits in adjacent rows. This undermines the isolation guarantees that modern operating systems rely on. GPU manufacturers were initially thought to be immune due to architectural differences, but research from the University of Toronto in July 2025 changed that with GPUHammer, the first practical RowHammer attack against NVIDIA GPUs using GDDR6 memory. GPUHammer demonstrated that ML model accuracy could degrade by up to 80 percent, but it only caused data corruption. GPUBreach takes the threat significantly further.

How GPUBreach Works

The attack targets GPU page table entries (PTEs) using multi-threaded parallel hammering techniques to trigger bit-flips in GDDR6 memory. By corrupting these page tables, an unprivileged CUDA kernel gains arbitrary read and write access to GPU memory. The real breakthrough comes next: the compromised GPU uses Direct Memory Access to write into CPU memory regions that the IOMMU permits, specifically the GPU driver's own buffers. This corrupts trusted driver state and triggers memory-safety bugs within the NVIDIA kernel driver, ultimately granting arbitrary kernel write access and allowing attackers to spawn a root shell.

Why IOMMU Protection Fails

IOMMU is designed to prevent Direct Memory Access attacks by isolating each peripheral to its own memory space and controlling which memory regions devices can access. However, GPUBreach circumvents this by exploiting the fact that IOMMU allows the GPU driver's own buffers as a valid target. Since these buffers contain trusted driver state, corrupting them through DMA triggers kernel-level out-of-bounds writes that bypass IOMMU protections entirely. This represents a fundamental gap in the security model that IOMMU alone cannot address.

Demonstrated Capabilities

During testing on an NVIDIA RTX A6000 GPU, researchers successfully leaked secret cryptographic keys from NVIDIA cuPQC, staged model accuracy degradation attacks, and obtained CPU privilege escalation. The attack works with IOMMU enabled, making it a practical threat to production systems. Unlike other concurrent GPU RowHammer research, GPUBreach uniquely achieves full CPU-level privilege escalation rather than just GPU-side access.

Related Research

Two other independent teams published similar research around the same time. GDDRHammer corrupts GPU page table entries by modifying the aperture field to allow unprivileged CUDA kernels to read and write host CPU memory. GeForce takes a slightly different approach by targeting the page directory rather than the page table itself. Both achieve GPU and host memory access, but neither demonstrates full CPU privilege escalation. GeForce also requires IOMMU to be disabled to function, making it less practical against modern systems.

Current Mitigations and Limitations

Error Correcting Code memory is the primary mitigation currently recommended, as it can correct single-bit flips and detect double-bit flips. However, the researchers note that RowHammer attacks like ECCploit and ECC.fail have already overcome this defense by inducing more than two bit flips simultaneously, which ECC cannot correct and may result in silent data corruption. On consumer or laptop GPUs where ECC is unavailable, no known mitigations currently exist. Even on systems with ECC, GPUBreach remains a serious threat if multiple bit-flips can be reliably induced.

Disclosure and Response

The University of Toronto team reported their findings to NVIDIA, Google, AWS, and Microsoft on November 11, 2025. Google acknowledged the report and awarded a six-hundred-dollar bug bounty. NVIDIA indicated it may update its existing security notice from July 2025 to address the new attack vectors. The full technical details will be presented at the IEEE Symposium on Security and Privacy on April 13 in Oakland.

Implications for Cloud and AI Infrastructure

The attack has serious implications for cloud AI infrastructure, multi-tenant GPU deployments, and high-performance computing environments. These environments often rely on GPU isolation and IOMMU protections to prevent cross-tenant attacks. GPUBreach demonstrates that an unprivileged tenant could potentially compromise the entire system and access data from other tenants or the host system. This necessitates a reevaluation of security assumptions in GPU-accelerated cloud services and AI development platforms.

Sources

• https://thehackernews.com/2026/04/new-gpubreach-attack-enables-full-cpu.html

• https://www.bleepingcomputer.com/news/security/new-gpubreach-attack-enables-system-takeover-via-gpu-rowhammer/

• https://www.instagram.com/p/DWzksScEqw-/