New GPUBreach Attack Escalates CPU Privileges Through GDDR6 Bit-Flips
Recent academic research has unveiled a series of RowHammer attacks targeting high-performance graphics processing units (GPUs), revealing vulnerabilities that could allow attackers to escalate privileges and potentially gain full control over host systems. The research, which has been codenamed GPUBreach, alongside GDDRHammer and GeForge, marks a significant advancement in the exploitation of GPU architectures.
The Evolution of RowHammer Attacks
GPUBreach represents a notable evolution from previous exploits, particularly GPUHammer, which was the first practical RowHammer attack aimed at NVIDIA GPUs utilizing GDDR6 memory. This new research demonstrates that RowHammer bit-flips in GPU memory can lead to more than just data corruption; they can facilitate privilege escalation and full system compromise.
Gururaj Saileshwar, an Assistant Professor at the University of Toronto and one of the study’s authors, explained that by corrupting GPU page tables through GDDR6 bit-flips, an unprivileged process can gain arbitrary read and write access to GPU memory. This access can then be leveraged to escalate privileges on the CPU, ultimately allowing the attacker to spawn a root shell by exploiting memory-safety vulnerabilities in the NVIDIA driver.
Implications for Memory Management Security
What sets GPUBreach apart is its ability to function without disabling the Input-Output Memory Management Unit (IOMMU). The IOMMU is a critical hardware component designed to enhance memory security by preventing Direct Memory Access (DMA) attacks and isolating each peripheral to its own memory space. Saileshwar noted that GPUBreach bypasses IOMMU protections entirely by corrupting trusted driver states within IOMMU-permitted buffers, triggering kernel-level out-of-bounds writes.
This capability poses serious implications for cloud AI infrastructure, multi-tenant GPU deployments, and high-performance computing (HPC) environments. The research indicates that existing protections may not be sufficient to mitigate these advanced threats.
Understanding RowHammer and Its Impact
RowHammer is a well-known reliability issue in Dynamic Random-Access Memory (DRAM), where repeated access to a memory row can cause electrical interference, flipping bits in adjacent rows. This phenomenon undermines the isolation guarantees that are fundamental to modern operating systems and sandboxing techniques.
To counteract such vulnerabilities, DRAM manufacturers have implemented hardware-level mitigations, including Error-Correcting Code (ECC) and Target Row Refresh (TRR). However, the recent findings highlight that these measures may not be adequate against sophisticated RowHammer attacks targeting GPUs.
The Broader Context of GPU Vulnerabilities
The research published in July 2025 expanded the threat landscape to GPUs, with GPUHammer being the first practical RowHammer attack aimed at NVIDIA GPUs using GDDR6 memory. It employs techniques such as multi-threaded parallel hammering to overcome architectural challenges that previously rendered GPUs resistant to bit flips. A successful GPUHammer exploit can lead to a significant drop in machine learning model accuracy, with degradation rates reaching up to 80% when operating on a GPU.
GPUBreach builds on this foundation, allowing for the corruption of GPU page tables and resulting in arbitrary read/write access to GPU memory. More alarmingly, the attack has been shown to leak secret cryptographic keys from NVIDIA’s cuPQC, degrade model accuracy, and achieve CPU privilege escalation even with IOMMU enabled.
Distinctions Among the New Attacks
The disclosure of GPUBreach coincides with the emergence of GDDRHammer and GeForge, both of which also exploit GPU page-table corruption via GDDR6 RowHammer to facilitate GPU-side privilege escalation. While GPUBreach enables full CPU privilege escalation, GeForge requires the IOMMU to be disabled, and GDDRHammer modifies the GPU page table entry’s aperture field to allow unprivileged CUDA kernels to access all host CPU memory.
The teams behind these exploits have noted that GDDRHammer targets the last level page table (PT), while GeForge focuses on the last level page directory (PD0). Despite these differences, both approaches aim to hijack GPU page table translations to gain read/write access to both GPU and host memory.
Mitigation Strategies and Limitations
One temporary mitigation strategy against these attacks is to enable ECC on the GPU. However, it is important to recognize that RowHammer attacks, such as ECCploit and ECC.fail, have demonstrated the ability to bypass this countermeasure. Researchers have indicated that if attack patterns induce more than two bit flips—an occurrence feasible on DDR4 and DDR5 systems—existing ECC cannot correct these errors and may even lead to silent data corruption. Consequently, ECC is not a foolproof solution against GPUBreach.
For desktop or laptop GPUs, where ECC is currently unavailable, there are no known mitigations to address these vulnerabilities.
The implications of GPUBreach and its associated attacks are profound, highlighting the need for ongoing vigilance and innovation in cybersecurity measures to protect against emerging threats in the GPU landscape.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
