{"id":519,"date":"2026-04-07T10:21:01","date_gmt":"2026-04-07T10:21:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=519"},"modified":"2026-04-07T10:21:01","modified_gmt":"2026-04-07T10:21:01","slug":"new-gpubreach-attack-enables-full-cpu-privilege-escalation-via-gddr6-bit-flips","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=519","title":{"rendered":"New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips"},"content":{"rendered":"
\n
<\/a><\/div>\n

New academic research has identified multiple RowHammer attacks against high-performance graphics processing units (GPUs) that could be exploited to escalate privileges and, in some cases, even take full control of a\u00a0host.<\/p>\n

The efforts have been\u00a0codenamed GPUBreach<\/a><\/strong>, GDDRHammer<\/a><\/strong>,\u00a0and <\/a>GeForge<\/a><\/strong>.<\/p>\n

GPUBreach goes a step further\u00a0than GPUHammer, demonstrating for the first time that RowHammer bit-flips in GPU memory can induce much more than data corruption and enable privilege escalation, and lead to a full system compromise.<\/p>\n

\u00abBy corrupting GPU page tables via GDDR6 bit-flips, an unprivileged process can gain arbitrary GPU memory read\/write, and then chain that into full CPU privilege escalation \u2014 spawning a root shell \u2014 by exploiting memory-safety bugs in the NVIDIA driver,\u00bb Gururaj Saileshwar, one of the authors of the study and Assistant Professor at the University of\u00a0Toronto, said<\/a> in a post on\u00a0LinkedIn.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

What makes GPUBreach notable is that it works even without having to disable the input\u2013output memory management unit\u00a0(IOMMU<\/a>),\u00a0a crucial hardware\u00a0component that ensures memory security by preventing Direct Memory Access (DMA) attacks and isolating each peripheral to its own memory\u00a0space.<\/p>\n

\u00abGPUBreach shows it is not enough: by corrupting trusted driver state within IOMMU-permitted buffers, we trigger kernel-level out-of-bounds writes \u2014 bypassing IOMMU protections entirely without needing it disabled,\u00bb Saileshwar added. \u00abThis has serious implications for cloud AI infrastructure, multi-tenant GPU deployments, and HPC environments.\u00bb<\/p>\n

RowHammer is a long-standing Dynamic Random-Access Memory (DRAM) reliability error where repeated accesses (i.e., hammering) to a memory row can cause electrical interference that flips bits (changing 0 to 1m or vice versa) in adjacent rows. This\u00a0undermines isolation guarantees fundamental to modern operating systems and sandboxes.<\/p>\n

DRAM manufacturers have implemented hardware-level mitigations, such as Error-Correcting Code (ECC) and Target Row Refresh (TRR), to counter this line of\u00a0attack.\u00a0<\/p>\n

However, research published in July 2025 by researchers at the University of Toronto expanded the threat to\u00a0GPUs. GPUHammer, as it’s called, is the first practical RowHammer attack targeting NVIDIA GPUs using GDDR6 memory. It\u00a0employs techniques like multi-threaded parallel hammering to overcome architectural challenges inherent to GPUs that previously made them immune to bit\u00a0flips.<\/p>\n

The consequence of a successful GPUHammer exploit is a drop in machine learning (ML) model accuracy, which can degrade by up to 80% when running on a\u00a0GPU.<\/p>\n

GPUBreach extends this approach to corrupt GPU page tables with RowHammer and achieve privilege escalation, resulting in arbitrary read\/write on GPU memory. More\u00a0consequentially, the attack has been found to leak secret cryptographic keys\u00a0from NVIDIA\u00a0cuPQC<\/a>, stage model accuracy degradation attacks, and obtain CPU privilege escalation with IOMMU\u00a0enabled.<\/p>\n

\u00abThe compromised GPU issues DMA (using the aperture bits in PTEs) into a region of CPU memory that the IOMMU permits (the GPU driver’s own buffers),\u00bb the researchers said. \u00abBy corrupting this trusted driver state, the attack triggers memory-safety bugs in the NVIDIA kernel driver and gains an arbitrary kernel write primitive, which is then used to spawn a root\u00a0shell.\u00bb<\/p>\n

This disclosure of GPUBreach coincides with two other concurrent works \u2013 GDDRHammer and GeForge \u2013 that also revolve around GPU page-table corruption via GDDR6 RowHammer and facilitate GPU-side privilege escalation. Just\u00a0like GPUBreach, both techniques can be used to gain arbitrary read\/write access to CPU\u00a0Memory.<\/p>\n

Where GPUBreach stands apart is that it also enables full CPU privilege escalation, making it a more potent attack. GeForge, in particular, requires IOMMU to be disabled for it to work, whereas GDDRHammer modifies the GPU page table entry’s aperture field to allow the unprivileged CUDA<\/a> kernel to read and write all of the host CPU’s\u00a0memory.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abOne main difference is that GDDRHammer exploits the last level page table (PT) and GeForge exploits the last level page directory (PD0),\u00bb the teams behind the two GPU memory exploits said. \u00abHowever, both\u00a0works are able\u00a0to achieve the same goal of hijacking the GPU page table translation to gain read\/write access to the GPU and host\u00a0memory.\u00bb<\/p>\n

One temporary mitigation to tackle these attacks is\u00a0to enable\u00a0ECC<\/a> on the GPU. That\u00a0said, it bears noting that RowHammer attacks\u00a0like ECCploit\u00a0and ECC.fail have been found to overcome this countermeasure.<\/p>\n

\u00abHowever, if attack patterns induce more than two bit flips (shown feasible on DDR4 and DDR5 systems), existing ECC cannot correct these and may even cause silent data corruption; so ECC is not a foolproof mitigation against GPUBreach,\u00bb the researchers said. \u00abOn desktop or laptop GPUs, where ECC is currently unavailable, there are no known mitigations to our knowledge.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

New academic research has identified multiple RowHammer attacks against high-performance graphics processing units (GPUs) that could be exploited to escalate privileges and, in some cases, even take full control of…<\/p>\n","protected":false},"author":1,"featured_media":520,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[220,1102,1100,724,306,753,1101,1099,305],"class_list":["post-519","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-attack","tag-bitflips","tag-cpu","tag-enables","tag-escalation","tag-full","tag-gddr6","tag-gpubreach","tag-privilege"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=519"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/519\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/520"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}