8 Critical Facts About the New Rowhammer Attacks on NVIDIA GPUs

Recent research has unveiled a new class of Rowhammer attacks specifically targeting NVIDIA GPUs, posing a significant threat to system security. These attacks, demonstrated by multiple independent teams, exploit vulnerabilities in GDDR memory to gain full control over the host CPU and compromise the entire machine. Understanding these attacks is crucial for defenders and security professionals. Below are the eight key facts you need to know about this emerging threat.

1. Rowhammer Basics: What It Is and How It Works

Rowhammer is a well-known DRAM vulnerability where repeated access to a memory row causes electrical interference, leading to bit flips in adjacent rows. These bit flips can corrupt data or, when exploited strategically, allow attackers to break memory isolation and escalate privileges. Originally demonstrated on CPUs, Rowhammer has now been successfully ported to GPU memory subsystems, marking a dangerous evolution. The mechanism remains the same: rapidly activating a row (hammering) until charge leakage flips bits in neighboring rows. With careful memory massaging, attackers can predict and control which bits flip, enabling arbitrary read/write access.

2. Two Independent Research Teams Reveal GPU Rowhammer Attacks

On the same day, two research groups published papers demonstrating Rowhammer attacks on NVIDIA's Ampere-generation GPUs (such as RTX 3060 and RTX 6000). One team (including Andrew Kwong) presented GDDRHammer, while the other unveiled GeForge. Both attacks achieve full compromise of the host system, but they differ in their technical approach. The simultaneous disclosure underscores the growing interest in GPU-based Rowhammer exploitation and the severity of the threat. These findings show that Rowhammer is no longer a CPU-only concern; GPUs, with their large memory bandwidth and parallel processing, are equally—if not more—vulnerable.

3. GDDRHammer: Manipulating Last-Level Page Tables

GDDRHammer targets the last-level page table in GPU memory. By inducing bit flips in GDDR6 memory, attackers corrupt GPU page table entries, gaining read/write access to the GPU’s memory space. From there, they pivot to control the host CPU’s memory via DMA (Direct Memory Access) capabilities. The attack requires the IOMMU to be disabled (default in BIOS). Once successful, adversaries can execute arbitrary code with full system privileges. The researchers demonstrated this on the RTX 3060 and RTX 6000, achieving complete machine compromise. GDDRHammer’s novel hammering patterns and memory massaging techniques make it highly effective.

4. GeForge: Alternative Exploitation via Page Directory Corruption

GeForge takes a slightly different path: instead of targeting the last-level page table, it corrupts the last-level page directory in GPU memory. This allows the attacker to forge GPU page tables and obtain arbitrary memory access. The team reported 1,171 bitflips on the RTX 3060 and 202 bitflips on the RTX 6000. Ultimately, GeForge also gains the same privileges over host CPU memory, ending with a root shell window on the exploited machine. This demonstrates that multiple angle of attack exist, increasing the challenge for mitigation. Like GDDRHammer, GeForge relies on specific hammering patterns and memory manipulation.

5. Third Attack Overcomes IOMMU Protection

On Friday (after the initial two papers), a third research team published an attack targeting the RTX A6000 GPU. This variant achieves privilege escalation to a root shell even when IOMMU (Input-Output Memory Management Unit) is enabled. IOMMU is a security feature that restricts DMA access; earlier attacks bypassed it only when disabled. This third attack proves that IOMMU is not a guaranteed defense. Although the specific technical details are less publicized, it raises the urgency for hardware vendors to develop robust countermeasures beyond software-based IOMMU enablement.

6. Required Conditions: IOMMU Status and Default BIOS Settings

For GDDRHammer and GeForge to succeed, the IOMMU must be disabled. In many BIOS configurations, IOMMU is turned off by default—even though it improves security. This default setting dramatically expands the attack surface. The third attack, however, works with IOMMU active, meaning even systems with IOMMU enabled are not safe. System administrators should verify their BIOS settings, but this alone may not be sufficient. NVIDIA and motherboard vendors need to revise default configurations and implement additional memory integrity checks in GPU drivers and firmware.

7. Real-World Impact: Full System Compromise and Root Access

All three attacks culminate in full compromise of the host machine. Attackers gain arbitrary read/write access to the CPU’s memory and can execute commands with root privileges. This allows them to install malware, steal sensitive data, disable security software, or leverage the system for further attacks. The GPU, often considered a separate, less privileged component, becomes a powerful entry point. These attacks demonstrate that GPU security must be taken as seriously as CPU security, especially in shared environments like cloud computing or multi-tenant GPU clusters.

8. Mitigation Challenges and Future Directions

Mitigating GPU Rowhammer attacks is challenging due to the fundamental physics of DRAM. Error-correcting code (ECC) memory can some bit flips, but GDDR6 typically lacks ECC. Possible mitigations include enabling IOMMU (though not foolproof), updating GPU firmware to detect hammering patterns, and using memory refresh rates tuned to prevent bit flips. Researchers recommend that GPU vendors implement Rowhammer-resistant physical layout designs and that system administrators disable unnecessary GPU DMA access. Software-based defenses, such as KASLR (Kernel Address Space Layout Randomization) and privilege separation, may slow attackers but cannot eliminate the threat. Ongoing research is needed to secure GPU memory subsystems without sacrificing performance.

In conclusion, the emergence of Rowhammer attacks on NVIDIA GPUs marks a significant escalation in hardware security threats. With multiple proven exploit paths and the potential for full system takeover, organizations must reassess their GPU deployment security. While patches and best practices can reduce risk, the fundamental vulnerability in DRAM technology remains. Stay informed and proactive to protect your systems.