New Rowhammer Attacks Target NVIDIA GPUs to Compromise Host Systems
Independent research teams have demonstrated that Rowhammer attacks against NVIDIA Ampere-generation GPUs can grant attackers full control over a host machine's CPU memory and lead to root-level privilege escalation.

Researchers have demonstrated that Rowhammer attacks can be successfully executed against NVIDIA Ampere-generation GPUs, leading to full system compromise. By inducing bit flips in GDDR6 memory, attackers can gain arbitrary read/write access to a host machine's CPU memory. This development marks a significant shift in Rowhammer research, moving the threat from CPU-based memory corruption to cross-component attacks originating from graphics hardware Schneier on Security.
The technical mechanism involves "hammering" specific rows in DRAM to induce bit flips. Two independent research teams recently unveiled their findings: the "GDDRHammer" paper and the "GeForge" paper. GDDRHammer exploits the last-level page table to gain control, while GeForge manipulates the last-level page directory. Both methods utilize novel hammering patterns and memory massaging to corrupt GPU page table mappings within GDDR6 memory Schneier on Security.
The impact of these vulnerabilities is severe, as they allow an attacker to escalate privileges and achieve complete control over the host system. In proof-of-concept demonstrations, the GeForge exploit against an NVIDIA RTX 3060 resulted in the opening of a root shell, granting the attacker unfettered command execution privileges. Researchers successfully induced 1,171 bit flips against the RTX 3060 and 202 bit flips against the RTX 6000 using this technique Schneier on Security.
Initially, it was believed that these attacks required the IOMMU (Input-Output Memory Management Unit) to be disabled—a common default in many BIOS configurations. However, a third, separate research effort revealed a Rowhammer attack targeting the RTX A6000 that can achieve root-level privilege escalation even when the IOMMU is enabled. This indicates that the threat surface for these GPU-based attacks is broader than initially anticipated Schneier on Security.
While Rowhammer has been a well-studied threat on CPUs for years, these findings confirm that GPUs are now a viable vector for similar memory-corruption attacks. The ability to bridge the gap between GPU memory and host CPU memory represents a critical escalation in hardware security risks. As researchers continue to refine these hammering patterns, the industry faces a new challenge in securing high-performance graphics hardware against memory-level exploitation Schneier on Security.