A novel attack method, named GPUBreach, has been demonstrated by researchers, showcasing the ability to induce Rowhammer bit-flips on modern GPU memory. This technique can escalate privileges from an unprivileged compute kernel to achieve arbitrary memory access, ultimately leading to a complete system takeover. The attack specifically targets the GDDR6 memory commonly used in contemporary graphics processing units (GPUs), exploiting the well-documented Rowhammer hardware vulnerability in a new, critical context. Developed by a team from the University of Toronto, the full technical details of GPUBreach are scheduled for presentation at the prestigious IEEE Symposium on Security & Privacy in Oakland on April 13.
The core of the GPUBreach attack lies in its ability to corrupt GPU page table entries (PTEs) through Rowhammer-induced bit flips in GDDR6 memory. In a demonstration, researchers showed that an attacker with access to an unprivileged CUDA kernel—a common scenario in shared computing environments like cloud services—could use this corruption to gain arbitrary read and write access to the GPU's memory. This initial breach on the GPU side is then chained into a CPU-side privilege escalation by exploiting memory-safety vulnerabilities within the NVIDIA graphics driver. Critically, this full-system compromise can be achieved without needing to disable the system's Input-Output Memory Management Unit (IOMMU), a hardware security feature designed to prevent direct memory access (DMA) attacks by peripherals.
The IOMMU acts as a critical gatekeeper, controlling and restricting how devices like GPUs access the system's main memory. While it is an effective defense against traditional DMA-based attacks, GPUBreveals a significant architectural weakness: the IOMMU does not protect against attacks that originate from *within* the GPU's own memory subsystem. "GPUBreach shows that GPU Rowhammer attacks can move beyond data corruption to real privilege escalation," the researchers stated. By corrupting the GPU's internal page tables, the attack bypasses the IOMMU's protections, as the malicious memory accesses appear to be legitimate GPU operations from the system's perspective.
The implications of GPUBreach are severe for any environment where GPU resources are shared between untrusted users, such as public cloud computing platforms, research clusters, or virtualized workstations. It represents a paradigm shift in hardware-based threats, moving Rowhammer from a CPU-centric concern to a potent vector against accelerators. This discovery underscores the persistent challenge of securing hardware against side-channel and fault-injection attacks, even as software defenses improve. Mitigation will likely require a combination of firmware updates from GPU vendors, driver patches, and potentially new hardware designs in future memory generations to fundamentally address the Rowhammer vulnerability at its root.
