Rowhammer Attacks Exploit Nvidia GPUs’ GDDR Memory for System Control

New Rowhammer Threats Target Nvidia GPUs

In 2026, cybersecurity researchers identified Rowhammer-based attacks that exploit vulnerabilities in Nvidia GPUs to achieve full system control. These exploits—named GDDRHammer, GeForge, and GPUBreach—target the susceptibility of GPU memory (GDDR) to bit flips caused by repeated memory access. The findings, detailed in a 2026 Arstechnica report and independently verified, mark the expansion of Rowhammer attacks from CPU DRAM to GPU memory in high-performance computing environments.

Targeting High-End Nvidia GPUs

The attacks focus on Nvidia’s high-end GPUs, including the RTX 6000 series and RTX 3060, which are widely used in cloud computing and AI workloads. By manipulating GPU page tables, malicious actors can bypass security mechanisms like the Input-Output Memory Management Unit (IOMMU) to access host memory. This allows attackers to execute arbitrary code and gain root-level access. The risk is heightened in shared cloud environments, where GPUs are rented to multiple users, creating opportunities for exploitation.

Evolution of Rowhammer Attacks

Rowhammer attacks initially targeted CPU DRAM, where repeated memory access induced bit flips in adjacent rows due to electrical interference. Early variants exploited DDR3 memory, later evolving to DDR4 with Target Row Refresh (TRR) and Error-Correcting Code (ECC) protections. Researchers developed techniques like Rowhammer feng shui and RowPress to bypass these defenses, enabling attacks over local networks, root Android devices, and key theft.

GPU Memory as a New Attack Vector

The shift to GPU memory marks a significant escalation in threat capabilities. Unlike traditional Rowhammer attacks requiring physical access, GPU-based exploits can be executed remotely in cloud environments. This is due to the shared nature of GPU resources, allowing malicious actors to rent vulnerable hardware and launch attacks without direct interaction. The memory architecture and access patterns of GPU memory differ from CPU DRAM, necessitating tailored attack vectors.

GPUHammer: A Case Study in GPU Exploitation

A notable example is GPUHammer, a Rowhammer variant demonstrated on Nvidia’s GDDR6 memory, such as the RTX A6000 GPU. Developed by a team at the University of Toronto, this attack exploits the physical layout of GDDR6 memory to induce reliable bit flips, even with TRR mitigations. The researchers, including assistant professor Gururaj Saileshwar and PhD student Chris Lin, showed how malicious GPU code could corrupt data in multi-tenant environments, such as cloud machine learning (ML) workloads.

Impact on AI Systems and Model Integrity

The attack’s impact is particularly critical for AI systems. A single bit flip in an AI model’s weight—such as altering an exponent in a neural network—can silently degrade model accuracy. For instance, a study demonstrated that a targeted bit flip could reduce an AI model’s ImageNet accuracy from 80% to less than 0.1% without modifying code or input data. This poses a significant risk for virtualized GPU deployments, where multiple users share the same hardware, as a compromised GPU could affect all associated models.

Mitigation Strategies and Recommendations

Nvidia and security researchers have proposed several mitigations. Enabling System-level Error Correction Codes (ECC) on supported GPUs can detect and correct bit flips, though this introduces performance overhead by reducing memory bandwidth and increasing latency. Enabling the IOMMU in BIOS settings can restrict GPU access to host memory, preventing unauthorized memory access. Nvidia also recommends users check their GPU’s vulnerability status and apply firmware updates to address risks.

Persistent Threats and Challenges

Despite these measures, the threat remains substantial. The attacks require precise engineering to target specific memory rows and exploit hardware weaknesses, making them difficult to detect. The lack of standardized testing frameworks for GPU memory security means many vulnerabilities may go undetected until exploited. Researchers stress the need for cross-component security measures, as CPU Rowhammer mitigations may not fully address GPU-specific vulnerabilities.

Industry Warnings and Future Outlook

The rise of Rowhammer attacks on GPUs highlights growing risks in cloud computing and AI infrastructure. High-performance GPUs, essential for training complex machine learning models, are increasingly targeted by attackers seeking to exploit shared resources. The ability to compromise GPU memory without disabling IOMMU protections, as shown in the GPUBreach attack, underscores the need for stronger security mechanisms in virtualized environments. Industry experts warn the threat landscape is likely to evolve further. As newer GPU generations are released, they may inherit similar vulnerabilities, requiring ongoing research and mitigation efforts. While no confirmed instances of Rowhammer attacks being actively used in the wild have been reported, the potential for exploitation remains a critical concern. Security professionals and cloud providers must prioritize proactive measures, such as regular vulnerability assessments and hardware-level protections, to safeguard against these emerging threats.