NVIDIA GPUs Vulnerable to New Rowhammer Attacks: Full System Takeover Possible

GPU Memory Flaw Allows Complete Host System Compromise

Two independent research teams have demonstrated that Rowhammer attacks on NVIDIA's Ampere-generation graphics cards can lead to full control of the host CPU's memory, enabling total system compromise. The attacks exploit GDDR6 memory to induce bit flips that bypass GPU protections and gain arbitrary read/write access to the main system memory.

One team, in a paper titled GDDRHammer: Greatly Disturbing DRAM Rows—Cross-Component Rowhammer Attacks from Modern GPUs, showed how an attacker could use targeted memory accesses on the GPU to flip bits in the CPU’s memory. According to Andrew Kwong, co-author of the paper, “Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well.” The attack requires the IOMMU memory management to be disabled, which is the default setting in most BIOS configurations.

The second paper, GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit, takes a different approach by manipulating the GPU’s last-level page directory instead of the page table. The researchers induced 1,171 bitflips on an RTX 3060 and 202 on an RTX 6000, demonstrating that the technique is broadly effective across the Ampere lineup. Their proof of exploit ends with a root shell on the host machine, giving the attacker unfettered privileges.

On Friday, a third attack was disclosed that targets the RTX A6000 and works even when the IOMMU is enabled, making it a more immediate threat. The researchers achieved privilege escalation to a root shell without relying on the disabled IOMMU condition.

Background

Rowhammer is a known vulnerability in DRAM where repeated row activations cause bit flips in adjacent rows. Originally demonstrated on CPUs, it has now been adapted to GPU memory. GDDR6 memory, commonly used in high-end graphics cards, is also susceptible to this disturbance, allowing attackers to corrupt data stored in memory.

NVIDIA’s Ampere architecture (RTX 30 series and A series) uses GDDR6X memory in some models, but the tested cards (RTX 3060, RTX A6000) rely on standard GDDR6. The attacks exploit the dense packing of memory cells and the limited error correction available in GPU memory subsystems.

What This Means

These findings elevate the risk for systems using NVIDIA GPUs in multi-user or cloud environments where GPU sharing is common. An attacker with access to the GPU—through a malicious workload or a compromised driver—could escalate privileges to take over the entire host machine. The fact that one attack works with IOMMU enabled underscores that default protections are insufficient.

System administrators and users should consider disabling GPU pass-through features unless absolutely necessary and monitor for firmware updates from NVIDIA. The research teams have disclosed their findings to NVIDIA, and while no immediate patch has been released, the company is likely to investigate mitigations such as improved memory scrubbing or row‐hammer resilient memory allocation.

For now, the proof-of-concept exploits are not publicly available, but the research papers are published, allowing security professionals to assess their own exposure. This is a wake-up call that GPU memory is now a viable attack surface for full system compromise.