New Rowhammer Attacks Give Complete Control of Machines Running Nvidia GPUs

Rowhammer, a phenomenon first demonstrated on DDR3 DRAM in 2014, has long been a concern for CPU security researchers. The technique relies on rapid, repeated accesses to memory rows, causing electrical interference that flips adjacent bits. While mitigations such as Target Row Refresh and ECC have hardened CPU memory, the same level of scrutiny has not been applied to graphics memory. Modern GPUs, especially Nvidia’s high‑performance Ampere cards, use GDDR6, a type of DRAM that was previously thought to be less susceptible, but recent academic work shows otherwise, expanding the attack surface beyond traditional compute resources.

The two independent papers, GDDRHammer and GeForge, demonstrate how an attacker can leverage novel hammering patterns and a process called memory massaging to corrupt GPU page‑table structures. By steering these tables into unprotected regions of GDDR memory, the researchers induce hundreds of bit flips—up to 1,171 on an RTX 3060—allowing them to rewrite pointers that map GPU memory to host physical RAM. The result is full user‑to‑root escalation on Linux systems, a capability that threatens shared‑GPU cloud instances where a single expensive card, often costing $8,000, serves dozens of tenants. This cross‑component breach underscores the urgency for cloud providers to enforce stricter isolation policies and for hardware designers to integrate GPU‑aware Rowhammer defenses.

Mitigation options are already available but come with trade‑offs. Enabling the IOMMU in BIOS blocks the GPU from accessing arbitrary host memory, yet the default configuration leaves it disabled to preserve performance. Similarly, activating ECC on the GPU can catch many bit flips but reduces usable memory and may still be bypassed by sophisticated hammering. Nvidia’s response points users to a support page, but industry‑wide adoption of these safeguards will likely depend on pressure from cloud operators and enterprise customers. As GPU acceleration becomes central to AI workloads, the security community must treat GPU memory with the same rigor applied to CPUs, ensuring future generations of graphics cards incorporate robust Rowhammer mitigation from the silicon up.