Full Report
New academic research has identified multiple RowHammer attacks against high-performance graphics processing units (GPUs) that could be exploited to escalate privileges and, in some cases, even take full control of a host. The efforts have been codenamed GPUBreach, GDDRHammer, and GeForge. GPUBreach goes a step further than GPUHammer, demonstrating for the first time that
Analysis Summary
# Research: GPUBreach: Exploiting GDDR6 RowHammer for Full CPU Privilege Escalation
## Metadata
- **Authors:** Gururaj Saileshwar, et al.
- **Institution:** University of Toronto
- **Publication:** Featured in *The Hacker News* (Academic source: [gpubreach.ca](https://gpubreach.ca/))
- **Date:** April 7, 2026
## Abstract
GPUBreach represents a significant advancement in hardware security research, demonstrating the first RowHammer-based attack on GDDR6 memory that achieves full CPU privilege escalation. By inducing bit-flips in GPU memory to corrupt Page Table Entries (PTEs), researchers bypassed hardware isolations like the IOMMU to gain root access on the host system.
## Research Objective
The research aims to determine if RowHammer vulnerabilities in high-performance GPU memory (GDDR6) can be weaponized to break system-wide security boundaries, specifically moving beyond simple data corruption to achieve arbitrary code execution and privilege escalation on the host CPU.
## Methodology
### Approach
The researchers employed a multi-phased exploitation chain:
1. **Multi-threaded Parallel Hammering:** Used to bypass the complex architectural scheduling of GPUs to induce bit-flips in GDDR6 memory.
2. **Page Table Manipulation:** Targeted the GPU’s memory management structures to gain arbitrary read/write access to GPU memory.
3. **Kernel Driver Exploitation:** Leveraged the compromised GPU state to trigger memory-safety vulnerabilities within the NVIDIA kernel driver on the host CPU.
### Dataset/Environment
- **Hardware:** Modern high-performance NVIDIA GPUs utilizing GDDR6 memory.
- **Security Configurations:** Tested against systems with IOMMU (Input-Output Memory Management Unit) enabled and active.
### Tools & Technologies
- **CUDA:** Used to craft the hammering kernels.
- **NVIDIA cuPQC:** Targeted for cryptographic key leakage tests.
- **Custom Exploits:** Developed to chain GPU bit-flips into CPU kernel write primitives.
## Key Findings
### Primary Results
1. **Full System Compromise:** Unlike previous attacks, GPUBreach scales from a GPU bit-flip to a root shell on the host CPU.
2. **IOMMU Bypass:** The attack succeeds even with IOMMU enabled by corrupting "permitted" buffers that the kernel driver trusts, leading to out-of-bounds writes.
3. **Cross-Tenant Data Leakage:** Demonstrated the ability to leak secret cryptographic keys from co-resident processes.
### Supporting Evidence
- **Model Degradation:** Confirmed previous findings (GPUHammer) that bit-flips can reduce ML model accuracy by up to 80%.
- **Successful Root Spawn:** Empirical demonstration of spawning a root shell through driver-level memory safety bugs triggered by the GPU.
### Novel Contributions
- **IOMMU-Aware Exploitation:** Proved that peripheral isolation is insufficient if the host driver does not redundantly validate state stored in "secure" DMA buffers.
- **Parallel Hammering Techniques:** Refined methods to overcome the high-throughput nature of GDDR6 that previously suggested RowHammer was impractical on GPUs.
## Technical Details
The attack exploits the **Aperture bits** in the Page Table Entries (PTEs). By flipping these bits via RowHammer, an unprivileged CUDA kernel can redirect GPU memory accesses into CPU memory regions. Specifically, it targets the memory buffers the NVIDIA driver uses for internal state management. Once these buffers are corrupted, the driver’s own logic is used to perform an "arbitrary kernel write," allowing the attacker to modify CPU process permissions and escalate to root.
## Practical Implications
### For Security Practitioners
- **Cloud Security:** Multi-tenant GPU environments (AI-as-a-Service) are at high risk, as one user could potentially seize control of the entire physical host.
- **Trust Models:** Hardware isolation (IOMMU) cannot be the sole line of defense for GPU-to-Host communication.
### For Defenders
- **Driver Patching:** Monitoring for and patching memory-safety bugs in GPU drivers is critical, as they are now reachable via hardware-level primitives.
- **ECC Implementation:** Enabling Error-Correcting Code (ECC) on GPU memory may provide a partial mitigation, though researchers suggest it is not a complete solution.
### For Researchers
- **GDDR Focus:** Shift focus from standard DDR4/5 towards GDDR6/7 and HBM (High Bandwidth Memory).
- **Driver Verification:** Increased need for formal verification of kernel-space drivers that manage DMA-capable peripherals.
## Limitations
- **Hardware Specificity:** The attack requires specific knowledge of the GPU's memory controller and physical layout (reverse-engineered).
- **Stability:** RowHammer attacks are probabilistic; achieving the precise bit-flip required for a PTE corruption can take time and multiple attempts.
## Comparison to Prior Work
- **vs. GPUHammer (2025):** While GPUHammer focused on data corruption and ML model denial-of-service, GPUBreach achieves high-level privilege escalation.
- **vs. GDDRHammer & GeForge:** GPUBreach is the only one of the three concurrent papers to demonstrate full CPU root access with IOMMU enabled. GeForge requires IOMMU to be disabled to function.
## Real-world Applications
- **Malicious Cloud Tenants:** Attacking the underlying hypervisor or host from a rented GPU instance.
- **Cryptographic Theft:** Extracting keys from high-performance computing (HPC) nodes.
## Future Work
- **NVIDIA Driver Auditing:** Further exploration of other GPU driver vulnerabilities that can be reached via DMA.
- **Hardware Mitigations:** Investigating more robust Target Row Refresh (TRR) mechanisms for GDDR graphics memory.
## References
- Saileshwar, G., et al. (2026). *GPUBreach: From GDDR6 Bit-flips to CPU Root.* [hXXps://gpubreach.ca/]
- *GDDRHammer & GeForge* [hXXps://gddr.fail/]
- *GPUHammer* [hXXps://thehackernews.com/2025/07/gpuhammer-new-rowhammer-attack-variant.html]