GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack 

A team of researchers from the University of Toronto has discovered a new Rowhammer attack that threat actors can use to escalate privileges.

The Rowhammer technique, a hardware vulnerability known for more than a decade, works by repeatedly accessing — or “hammering” — a specific row of DRAM memory cells. This rapid activity can generate electrical interference that causes bit flips in neighboring memory regions.

Over the years, researchers have shown that Rowhammer attacks can be exploited to enable privilege escalation, unauthorized data access, data corruption, and breaches of memory isolation in virtualized environments.

Until recently, however, such attacks had been limited to CPUs and traditional CPU-based memory. With GPUs playing an increasingly critical role in AI and machine learning workloads, a team from the University of Toronto last year successfully demonstrated a Rowhammer-style attack targeting the memory of an Nvidia GPU. 

They showed how the attack, dubbed GPUHammer, can induce bit flips that significantly degrade the accuracy of deep neural network (DNN) models, including ImageNet-trained models used for visual object recognition. 

The researchers behind GPUHammer, assisted by several others, have now demonstrated that GPU Rowhammer attacks can be used for more than just disruption.

Their new attack, named GPUBreach, shows that attackers can induce GDDR6 bit flips that corrupt GPU page tables, enabling arbitrary read-write access to memory. 

In combination with new memory-safety bugs in Nvidia drivers, the researchers showed that GPUBreach can be used for CPU-side privilege escalation, ultimately achieving root shell privileges and full system compromise.

The attack can pose a significant threat to cloud environments, where multiple users share the same physical GPU. 

Conducting an attack does not require physical/local hardware access to the targeted system, but the attacker does need to have code execution privileges on the GPU — this can be any user with permissions to use the GPU. 

The researchers reported their findings to Nvidia in November 2025, and the chip giant said it may update its previous Rowhammer security notice with information from the new research project. 

Due to potential cloud impact, Microsoft, AWS, and Google have also been notified, and Google has paid out a $600 bounty for the findings. 

“As with other Rowhammer attacks, ECC can be helpful as a mitigation, since it can correct single-bit flips and detect double-bit flips,” the researchers explained. 

“On server and workstation GPUs (e.g., RTX A6000), we advise enabling ECC as per the NVIDIA security notice,” they added. “However, if attack patterns induce more than two bit flips (shown feasible on DDR4 and DDR5 systems), existing ECC cannot correct these and may even cause silent data corruption; so ECC is not a foolproof mitigation against GPUBreach.”

Related: Rowhammer Attack Demonstrated Against DDR5

Related: Intel, AMD Processors Affected by PCIe Vulnerabilities

Related: Google-Intel Security Audit Reveals Severe TDX Vulnerability Allowing Full Compromise