GPUBreach: Unveiling a New Era of GPU-Based System Compromises
Recent academic research has unveiled a series of sophisticated RowHammer attacks targeting high-performance graphics processing units (GPUs), collectively known as GPUBreach, GDDRHammer, and GeForge. These attacks exploit vulnerabilities in GPU memory to escalate privileges, potentially leading to full system control.
GPUBreach represents a significant advancement over previous exploits like GPUHammer by demonstrating that RowHammer-induced bit-flips in GPU memory can do more than just corrupt data—they can facilitate privilege escalation and complete system compromise. By manipulating GPU page tables through GDDR6 bit-flips, an unprivileged process can gain arbitrary read/write access to GPU memory. This access can be leveraged to exploit memory-safety vulnerabilities in NVIDIA drivers, ultimately achieving full CPU privilege escalation and spawning a root shell.
A notable aspect of GPUBreach is its ability to operate without disabling the input–output memory management unit (IOMMU), a critical hardware component designed to prevent Direct Memory Access (DMA) attacks and isolate peripherals to their own memory spaces. By corrupting trusted driver states within IOMMU-permitted buffers, GPUBreach triggers kernel-level out-of-bounds writes, effectively bypassing IOMMU protections without the need for its deactivation. This capability has serious implications for cloud AI infrastructure, multi-tenant GPU deployments, and high-performance computing (HPC) environments.
RowHammer is a well-documented DRAM reliability issue where repeated accesses to a memory row can cause electrical interference, leading to bit-flips in adjacent rows. This phenomenon undermines the isolation guarantees fundamental to modern operating systems and sandboxes. While DRAM manufacturers have implemented hardware-level mitigations like Error-Correcting Code (ECC) and Target Row Refresh (TRR) to counter such attacks, these measures have proven insufficient against the evolving threat landscape.
In July 2025, researchers from the University of Toronto introduced GPUHammer, the first practical RowHammer attack targeting NVIDIA GPUs with GDDR6 memory. GPUHammer employs techniques like multi-threaded parallel hammering to overcome architectural challenges inherent to GPUs, which previously made them resistant to bit-flips. A successful GPUHammer exploit can degrade machine learning (ML) model accuracy by up to 80% when running on a GPU.
Building upon this foundation, GPUBreach extends the approach by corrupting GPU page tables with RowHammer to achieve privilege escalation, resulting in arbitrary read/write access to GPU memory. More consequentially, the attack has been found to leak secret cryptographic keys from NVIDIA’s cuPQC, stage model accuracy degradation attacks, and obtain CPU privilege escalation even with IOMMU enabled.
The compromised GPU issues DMA into a region of CPU memory that the IOMMU permits, specifically the GPU driver’s own buffers. By corrupting this trusted driver state, the attack triggers memory-safety bugs in the NVIDIA kernel driver, gaining an arbitrary kernel write primitive, which is then used to spawn a root shell.
The disclosure of GPUBreach coincides with two other concurrent works—GDDRHammer and GeForge—that also revolve around GPU page-table corruption via GDDR6 RowHammer and facilitate GPU-side privilege escalation. Similar to GPUBreach, both techniques can be used to gain arbitrary read/write access to CPU memory.
Where GPUBreach stands apart is in its ability to enable full CPU privilege escalation, making it a more potent attack. GeForge, in particular, requires IOMMU to be disabled for it to work, whereas GDDRHammer modifies the GPU page table entry’s aperture field to allow the unprivileged CUDA kernel to read and write all of the host CPU’s memory.
One temporary mitigation to tackle these attacks is to enable ECC on the GPU. However, it bears noting that RowHammer attacks like ECCploit and ECC.fail have been found to overcome this countermeasure. If attack patterns induce more than two bit-flips, existing ECC cannot correct these and may even cause silent data corruption; so ECC is not a foolproof mitigation against GPUBreach. On desktop or laptop GPUs, where ECC is currently unavailable, there are no known mitigations to our knowledge.
