A brand new assault, dubbed GPUBreach, can induce Rowhammer bit-flips on GPU GDDR6 recollections to escalate privileges and result in a full system compromise.
GPUBreach was developed by a crew of researchers on the College of Toronto, and full particulars can be offered on the upcoming IEEE Symposium on Safety & Privateness on April 13 in Oakland.
The researchers demonstrated that Rowhammer-induced bit flips in GDDR6 can corrupt GPU web page tables (PTEs) and grant arbitrary GPU reminiscence learn/write entry to an unprivileged CUDA kernel.
An attacker could then chain this right into a CPU-side escalation by exploiting memory-safety bugs within the NVIDIA driver, doubtlessly main to finish system compromise with out the necessity to disable Enter-Output Reminiscence Administration Unit (IOMMU) safety.
Supply: College of Toronto
IOMMU is a {hardware} unit that protects in opposition to direct reminiscence assaults. It controls and restricts how gadgets entry reminiscence by managing which reminiscence areas are accessible to every machine.
Regardless of being an efficient measure in opposition to most direct reminiscence entry (DMA) assaults, IOMMU doesn’t cease GPUBreach.
“GPUBreach reveals that GPU Rowhammer assaults can transfer past knowledge corruption to actual privilege escalation,” the researchers clarify.
“By corrupting GPU web page tables, an unprivileged CUDA kernel can acquire arbitrary GPU reminiscence learn/write, after which chain that functionality into CPU-side escalation by exploiting newly found memory-safety bugs within the NVIDIA driver.”
“The result’s system-wide compromise as much as a root shell, with out disabling IOMMU, in contrast to modern works, making GPUBreach a stronger risk.”
Supply: College of Toronto
The identical researchers beforehand demonstrated GPUHammer, the primary assault displaying that Rowhammer assaults on GPUs are sensible, prompting NVIDIA to difficulty a warning to customers and suggesting the activation of the System Stage Error-Correcting Code mitigation to dam such makes an attempt on GDDR6 reminiscence.
Nevertheless, GPUBreach is taking the risk to the subsequent degree, displaying that it’s doable not solely to deprave knowledge but additionally to achieve root privileges with IOMMU enabled.
The researchers exemplified the outcomes with an NVIDIA RTX A6000 GPU with GDDR6. This mannequin is extensively utilized in AI growth and coaching workloads.
Supply: College of Toronto
Disclosure and mitigations
The College of Toronto researchers reported their findings to NVIDIA, Google, AWS, and Microsoft on November 11, 2025.
Google acknowledged the report and awarded the researchers a $600 bug bounty.
NVIDIA acknowledged that it might replace its current safety discover from July 2025 to incorporate the newly found assault potentialities.
As demonstrated by the researchers, IOMMU alone is inadequate if GPU-controlled reminiscence can corrupt trusted driver state, so customers in danger ought to rely solely on that safety measure.
Error Correcting Code (ECC) reminiscence helps right single-bit flips and detect double-bit flips, however it isn’t dependable in opposition to multi-bit flips.
Finally, the researchers underlined that GPUBreach is totally unmitigated for shopper GPUs with out ECC.
The researchers will publish the complete particulars of their work, together with a technical paper and a GitHub repository with the copy package deal and scripts, on April 13.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, reveals the place protection ends, and offers practitioners with three diagnostic questions for any device analysis.
