7 Critical Insights into the New Rowhammer Attacks on NVIDIA GPUs

Introduction: A New Frontier in GPU Security

Two independent research teams have unveiled a groundbreaking vulnerability targeting NVIDIA's Ampere-generation GPUs that pushes Rowhammer attacks far beyond their traditional CPU boundaries. By inducing bitflips in GDDR6 memory, these exploits can hijack the host machine's entire memory space, granting attackers full system control. While requiring disabled IOMMU (the default BIOS setting) initially, one attack even works with IOMMU enabled. This article breaks down the seven key takeaways from these disclosures, from the mechanics of the attacks to their stark implications for GPU security.

1. The Attacks Are Cross-Component: GPUs as a Bridge to CPU Memory

Unlike conventional Rowhammer attacks that target CPU DRAM directly, these new exploits manipulate GDDR6 memory on the GPU. By corrupting page table entries or page directories within the GPU's memory, attackers gain read/write access not just to GPU memory, but to the host CPU's entire memory space. This cross-component attack vector means compromising a single GPU can lead to a full system takeover, bypassing many traditional security boundaries. The researchers demonstrated that from a GPU exploit, they could open a root shell on the host machine, issuing commands with unfettered privileges. This represents a significant escalation in Rowhammer's threat model, moving from local memory corruption to systemic compromise.

2. Two Separate Papers, Similar Goals: GDDRHammer and GeForge

Released simultaneously, GDDRHammer and GeForge both achieve the same end—full control of CPU memory—but through different technical approaches. GDDRHammer, presented by researchers including Andrew Kwong, targets the last-level page table of the GPU, while GeForge manipulates the last-level page directory. Both employ novel hammering patterns and memory massaging techniques to induce bitflips in GDDR6 memory, corrupting GPU page table mappings. GeForge's proof-of-concept against an RTX 3060 demonstrated 1,171 bitflips, and 202 against an RTX 6000. Importantly, both teams confirmed that the same techniques work against the more powerful RTX 6000 card, showing the vulnerability spans the Ampere lineup.

3. The IOMMU Dependency: A Barrier That Can Be Broken

Initially, both attacks required the Input-Output Memory Management Unit (IOMMU) to be disabled—a setting that comes as default in most BIOS configurations. The IOMMU normally prevents direct memory access attacks by isolating device memory from the host. However, a third attack, revealed on Friday, April 3, successfully demonstrated privilege escalation to a root shell on an RTX A6000 even with IOMMU enabled. This breakthrough eliminates the primary hardware mitigation, making the attacks viable on systems where IOMMU is active. It underscores how attackers can adapt hammering techniques to bypass even security features designed to thwart such exploits. The third attack uses a similar bitflip approach but achieves full compromise without relying on the IOMMU being off.

4. Bitflip Counts: Precision and Scalability

The attacks induce a carefully controlled number of bitflips using specialized hammering patterns. GeForge achieved 1,171 bitflips on an RTX 3060 and 202 on an RTX 6000, while GDDRHammer's numbers were similarly calibrated. These are not random errors; each flip is precisely positioned to corrupt specific memory structures like page tables or directories. The ability to produce hundreds of reliable bitflips demonstrates that GPU GDDR memory is susceptible to Rowhammer at a scale sufficient for exploitation. The researchers optimized their hammering loops and memory alignment to maximize flip probability while minimizing detection, showing that even modern GDDR6 with inbuilt error correction is vulnerable.

5. Privilege Escalation to Root: Full System Takeover

The end result of these attacks is not just data leakage or limited control—it's a root shell on the host machine. By corrupting the GPU page table, attackers can map arbitrary physical memory addresses, including kernel space, into the GPU's view. From there, they can execute code with host-level privileges, bypassing user-mode restrictions. Both teams demonstrated opening a root shell window that allowed issuing commands with no access controls. This privilege escalation is the most damaging aspect, as it means any system with a vulnerable NVIDIA Ampere GPU could be fully compromised by an attacker who can run code on the GPU (e.g., via a malicious application or browser-based WebGL).

6. Vulnerable Hardware: NVIDIA Ampere Generation Under Fire

The targeted hardware includes NVIDIA's Ampere architecture cards such as the RTX 3060, RTX 6000, and RTX A6000. These GPUs use GDDR6 memory, which the researchers found to be susceptible to Rowhammer bitflips. The experiments confirmed that both consumer and professional-grade cards are affected. While the researchers did not test older generations (e.g., Turing or Pascal), the same underlying DRAM physics applies—future attacks may expand to other NVIDIA families. Ampere was chosen for its widespread use and advanced memory controllers. The attack does not require physical access; it can be triggered purely through software, making remote exploitation plausible through GPU compute workloads or browser-based attacks.

7. Countermeasures and Mitigation Strategies

Currently, no official NVIDIA patch has been released for these specific Rowhammer variants. Potential mitigations include enabling IOMMU in BIOS (though the third attack bypasses this), using error-correcting code (ECC) memory where available, and limiting GPU direct memory access capabilities. Additionally, operating system-level defenses can restrict GPU access to critical kernel pages. Hardware countermeasures like increased refresh rates or Rowhammer-resistant DRAM designs are long-term solutions. Users should monitor NVIDIA security advisories and consider disabling GPU compute features in untrusted environments. The research emphasizes that GPU security must evolve beyond traditional CPU-focused mitigation, as these cross-component attacks blur the line between device and host security.

Conclusion: The GPU Security Landscape Shifts

The Rowhammer attacks against NVIDIA Ampere GPUs represent a paradigm shift in how we think about hardware security. By turning a peripheral's memory into a weapon against the host, GDDRHammer and GeForge expose a vulnerability that challenges existing security models. The ability to achieve full system compromise from a GPU, especially with one attack bypassing IOMMU, demands urgent attention from both hardware vendors and system administrators. As GPU compute becomes more prevalent in cloud, AI, and gaming environments, these findings serve as a critical reminder that no component is isolated. Expect ongoing research into Rowhammer on other GPU architectures and new mitigations to emerge. Start from the beginning to explore each insight in depth.