GPUBreach Exploits GDDR6 Rowhammer for Full System Takeover

A team of researchers from the University of Toronto has demonstrated a novel attack technique that weaponizes GPU memory vulnerabilities to achieve complete system compromise, including root shell access on systems protected by IOMMU.

The attack, dubbed GPUBreach, represents a significant escalation over previous GPU-based attacks because it successfully bridges the gap between GPU memory corruption and CPU-side privilege escalation—something security researchers have long theorized but rarely demonstrated in practice.

How GPUBreach Works

The attack exploits a well-known memory corruption technique called rowhammer, but applies it to GDDR6 memory found in modern graphics cards rather than traditional DDR DRAM. By repeatedly accessing adjacent memory rows at high frequency, an attacker can induce electrical interference that flips bits in neighboring rows without directly accessing them.

What makes GPUBreach particularly dangerous is its attack chain. First, an unprivileged CUDA kernel induces bit-flips in GDDR6 memory. These bit-flips corrupt GPU page tables (PTEs), granting the attacker arbitrary read/write access to GPU memory. The attacker then exploits memory-safety vulnerabilities in the NVIDIA driver to pivot from GPU to CPU, ultimately achieving root access.

Previous GPU rowhammer research, including GDDRHammer and GeForge, required disabling IOMMU protections to achieve meaningful exploitation. GPUBreach bypasses this limitation entirely by targeting driver vulnerabilities rather than attempting to escape hardware-enforced memory isolation.

Affected Systems and Scope

The researchers demonstrated GPUBreach on an NVIDIA RTX A6000—a high-end professional GPU commonly used in AI development, scientific computing, and data center workloads. However, the underlying vulnerability affects any GDDR6-based GPU without error-correcting code (ECC) protection.

Consumer GPUs from NVIDIA, AMD, and other manufacturers typically lack ECC memory, making them vulnerable to this class of attack. The researchers noted that even data center GPUs with ECC enabled are not immune, as multi-bit flips can potentially evade error correction.

"Consumer GPUs are completely unmitigated," the research team stated in their paper, which will be presented at the IEEE Symposium on Security & Privacy on April 13.

Google, one of the vendors notified about the vulnerability, awarded a $600 bug bounty—a figure that sparked debate on security forums given the severity of the demonstrated impact.

Detection and Mitigation Challenges

Organizations face limited options for defending against GPUBreach. System-level ECC memory, enabled by default on NVIDIA Hopper and Blackwell architecture data center GPUs, provides some protection but is not a complete solution against multi-bit corruption scenarios.

For enterprises running AI workloads or GPU-accelerated computing, the attack surface is substantial. Shared GPU resources in cloud environments or containerized workloads could potentially be exploited by a malicious tenant to escape isolation boundaries.

The November 2025 disclosure to NVIDIA, Google, AWS, and Microsoft gave vendors five months to develop mitigations before public release. Whether effective patches exist remains unclear—NVIDIA has not issued a public advisory addressing the specific attack chain demonstrated by GPUBreach.

Why This Matters

Hardware-level attacks like GPUBreach are notoriously difficult to patch through software updates alone. Unlike vulnerabilities in web applications or cloud platforms that can be fixed server-side, rowhammer attacks exploit fundamental physics of memory design.

The growing deployment of GPUs for AI inference, cryptocurrency operations, and general-purpose computing expands the potential attack surface significantly. As organizations increasingly rely on GPU acceleration, attacks targeting GPU memory become correspondingly more valuable to adversaries.

Security teams should audit GPU-accelerated workloads, particularly those processing untrusted inputs. Isolation mechanisms between GPU tenants should be evaluated against this new attack primitive. For high-security environments, the research suggests that only ECC-enabled data center GPUs offer meaningful protection.

The full technical details and proof-of-concept will be available following the IEEE presentation next week.