Security researchers have demonstrated a new class of Rowhammer attacks targeting NVIDIA GPUs that can escalate from memory corruption to full system compromise, marking a significant shift in hardware-level security risks. Detailed in recent academic research and highlighted by Ars Technica, the attacks, known as GDDRHammer and GeForce/GeForge, exploit vulnerabilities in GDDR6 GPU memory to gain arbitrary read and write access, ultimately allowing attackers to take control of the host CPU and system memory.
The findings build on earlier research into Rowhammer, a long-known hardware flaw in DRAM where repeatedly accessing (“hammering”) memory rows induces bit flips in adjacent memory cells, bypassing traditional isolation mechanisms. While historically associated with system RAM, researchers have now shown that similar techniques can be applied to GPU memory, dramatically expanding the attack surface, particularly in environments where GPUs are shared, such as cloud infrastructure and AI training platforms.
Unlike earlier GPU-focused attacks that primarily impacted application behavior (such as degrading AI model accuracy), these new techniques demonstrate end-to-end compromise capabilities. By carefully inducing bit flips in GPU memory, attackers can manipulate page tables and memory mappings, effectively bridging the gap between GPU and CPU memory spaces. This enables unauthorized access to system memory and, in some cases, full control over the machine.
Research shows that attacks like GDDRHammer can generate large numbers of targeted bit flips, over 100 per memory bank in some cases, while bypassing existing GPU protections. More advanced variants can even redirect GPU memory access to CPU memory, allowing attackers to read or modify sensitive data beyond the GPU itself.
The implications are particularly serious for AI and cloud computing environments, where GPUs are frequently shared across workloads and users. In these settings, an attacker may not need direct access to a victim’s data, only shared access to the same GPU hardware, to interfere with workloads or escalate privileges. This makes multi-tenant GPU clusters a high-risk target for such attacks.
The research also underscores a broader trend: as GPUs become central to modern computing, powering everything from generative AI to high-performance workloads, they are increasingly becoming part of the security threat landscape, rather than just performance accelerators.
Mitigating Rowhammer-style attacks remains difficult due to their hardware-level nature. Potential defenses include enabling error-correcting code (ECC) memory, increasing memory refresh rates, or restricting GPU access to system memory via technologies such as IOMMU. However, these measures often come with performance trade-offs or limited effectiveness against sophisticated attack patterns.
Complicating matters further, research has shown that even modern mitigation techniques in DRAM are not always sufficient to fully prevent Rowhammer exploits, particularly as memory density increases and attack methods evolve.
The emergence of GPU-based Rowhammer attacks represents a significant escalation in hardware security threats, extending a decade-old vulnerability into new domains. As attackers increasingly target shared infrastructure and lower layers of the computing stack, the research highlights the need for cross-layer security approaches that combine hardware protections, system-level isolation, and workload-aware defenses.
For organizations relying heavily on GPUs, particularly in AI and cloud environments, the message is clear: hardware is no longer a trusted boundary. Instead, it must be actively monitored, hardened, and integrated into broader security strategies as part of an evolving threat landscape.
