Full Report
A new rowhammer attack gives complete control of NVIDIA CPUs. On Thursday, two research teams, working independently of each other, demonstrated attacks against two cards from Nvidia’s Ampere generation that take GPU rowhammering into new—and potentially much more consequential—territory: GDDR bitflips that give adversaries full control of CPU memory, resulting in full system compromise of the host machine. For the attack to work, IOMMU memory management must be disabled, as is the default in BIOS settings. “Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well,” said Andrew Kwong, co-author of one of the papers. “...
Analysis Summary
# Research: GDDRHammer & GeForge: Cross-Component Rowhammer Attacks via GPUs
## Metadata
- **Authors:** Andrew Kwong et al. (GDDRHammer); Research team (GeForge)
- **Institution:** Multiple institutions including University of Michigan and Penn State
- **Publication:** Independent research papers (GDDRHammer/GeForge)
- **Date:** May 2026 (Reported)
## Abstract
Recent research has demonstrated that Rowhammer—a hardware vulnerability once thought to be primarily a CPU-to-DRAM threat—is highly effective when executed via Graphics Processing Units (GPUs). By inducing bitflips in GDDR6 memory, attackers can escalate privileges from a restricted GPU environment to full administrative control (root) of the host CPU and its memory. This represents a significant shift in threat modeling for high-performance computing and workstation security.
## Research Objective
The research aims to determine if the high-speed GDDR memory used in modern NVIDIA GPUs is susceptible to Rowhammer attacks and whether these hardware-level vulnerabilities can be exploited to bypass system-level isolation between the GPU and the host CPU.
## Methodology
### Approach
The researchers employed "memory massaging" and novel hammering patterns specifically tuned for the high-bandwidth architecture of GDDR memory. By repeatedly accessing specific rows of memory at high frequencies, they aimed to leak electrical charges into adjacent rows, inducing bitflips.
### Dataset/Environment
- **Hardware:** NVIDIA Ampere generation cards (RTX 3060, RTX A6000) and Turing generation (RTX 6000).
- **Configuration:** Systems with and without IOMMU (Input-Output Memory Management Unit) enabled.
### Tools & Technologies
- Custom GPU kernels for high-frequency memory access.
- Proof-of-Concept (PoC) exploit code designed to target GPU page tables and directory structures.
## Key Findings
### Primary Results
1. **Host Compromise:** Bitflips in GPU memory can be leveraged to gain arbitrary read/write access to the host CPU’s system memory.
2. **High Vulnerability:** One attack successfully induced 1,171 bitflips on an RTX 3060 and 202 on an RTX 6000.
3. **Privilege Escalation:** Researchers demonstrated the ability to open a root shell on the host machine via the GPU exploit.
### Supporting Evidence
- Successful exploitation of the last-level page table (GDDRHammer) and the last-level page directory (GeForge).
- A third independent study confirmed privilege escalation to root even when IOMMU protections were active.
### Novel Contributions
- **Cross-Component Attack:** Moving Rowhammer from a single-component issue to a cross-component (GPU-to-CPU) threat.
- **GDDR6 Targeting:** Proving that newer, faster GDDR6 memory is not inherently immune to Rowhammer.
## Technical Details
The attack relies on manipulating the GPU's memory management structures. By inducing a bitflip in a GPU page table entry, the attacker can redirect a GPU memory pointer to point toward host system memory. If the IOMMU (which typically restricts what memory a peripheral can see) is disabled—a common default in many BIOS configurations—the GPU gains unauthorized access to the host's protected memory space.
## Practical Implications
### For Security Practitioners
- GPUs can no longer be viewed as isolated "sandboxes" for computation; they are now viable lateral movement vectors for root-level compromise.
### For Defenders
- **BIOS Hardening:** Ensure IOMMU (VT-d or AMD-Vi) is enabled in the BIOS/UEFI.
- **Monitoring:** Watch for unusual GPU memory access patterns, though hardware-level hammering is notoriously difficult to detect via software.
### For Researchers
- This opens a new field of "Inter-Component Rowhammer," suggesting other high-speed peripherals (NICs, FPGAs) should be audited for similar flaws.
## Limitations
- Initial versions of the attack (GDDRHammer/GeForge) primarily relied on the IOMMU being disabled.
- Success rates for bitflips vary significantly between individual silicone chips due to manufacturing variances.
## Comparison to Prior Work
Traditional Rowhammer research focused on CPU-based DRAM access. While previous "GLitch" attacks showed GPU Rowhammer was possible, this new research demonstrates a much higher impact: moving from simple browser-based crashes to full host-system compromise and root access.
## Real-world Applications
- **Malicious Cloud Tenants:** An attacker could potentially rent a GPU instance in a cloud environment to escape the virtual environment and attack the host server.
- **High-Performance Computing (HPC):** Shared workstations used for AI/ML training could be compromised by a low-privileged user.
## Future Work
- Assessing the impact of ECC (Error Correction Code) memory on these attack vectors.
- Refining techniques to bypass IOMMU consistently across different hardware architectures.
## References
- *GDDRHammer: Greatly Disturbing DRAM Rows—Cross-Component Rowhammer Attacks from Modern GPUs*
- *GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit*
- hxxps://gddr[.]fail/files/gddr.pdf
- hxxps://gddr[.]fail/files/GeForge.pdf