GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack

Summary

University of Toronto researchers have disclosed GPUBreach, a Rowhammer-style attack targeting Nvidia GPU memory that can corrupt GPU page tables and enable arbitrary read-write access. Combined with memory-safety bugs in Nvidia drivers, the attack achieves CPU-side privilege escalation and full system compromise. The technique poses significant risk to cloud environments where multiple users share physical GPUs, requiring only GPU code execution privileges rather than local hardware access.

Full text

A team of researchers from the University of Toronto has discovered a new Rowhammer attack that threat actors can use to escalate privileges. The Rowhammer technique, a hardware vulnerability known for more than a decade, works by repeatedly accessing — or “hammering” — a specific row of DRAM memory cells. This rapid activity can generate electrical interference that causes bit flips in neighboring memory regions. Over the years, researchers have shown that Rowhammer attacks can be exploited to enable privilege escalation, unauthorized data access, data corruption, and breaches of memory isolation in virtualized environments. Until recently, however, such attacks had been limited to CPUs and traditional CPU-based memory. With GPUs playing an increasingly critical role in AI and machine learning workloads, a team from the University of Toronto last year successfully demonstrated a Rowhammer-style attack targeting the memory of an Nvidia GPU. They showed how the attack, dubbed GPUHammer, can induce bit flips that significantly degrade the accuracy of deep neural network (DNN) models, including ImageNet-trained models used for visual object recognition. The researchers behind GPUHammer, assisted by several others, have now demonstrated that GPU Rowhammer attacks can be used for more than just disruption.Advertisement. Scroll to continue reading. Their new attack, named GPUBreach, shows that attackers can induce GDDR6 bit flips that corrupt GPU page tables, enabling arbitrary read-write access to memory. In combination with new memory-safety bugs in Nvidia drivers, the researchers showed that GPUBreach can be used for CPU-side privilege escalation, ultimately achieving root shell privileges and full system compromise. The attack can pose a significant threat to cloud environments, where multiple users share the same physical GPU. Conducting an attack does not require physical/local hardware access to the targeted system, but the attacker does need to have code execution privileges on the GPU — this can be any user with permissions to use the GPU. The researchers reported their findings to Nvidia in November 2025, and the chip giant said it may update its previous Rowhammer security notice with information from the new research project. Due to potential cloud impact, Microsoft, AWS, and Google have also been notified, and Google has paid out a $600 bounty for the findings. “As with other Rowhammer attacks, ECC can be helpful as a mitigation, since it can correct single-bit flips and detect double-bit flips,” the researchers explained. “On server and workstation GPUs (e.g., RTX A6000), we advise enabling ECC as per the NVIDIA security notice,” they added. “However, if attack patterns induce more than two bit flips (shown feasible on DDR4 and DDR5 systems), existing ECC cannot correct these and may even cause silent data corruption; so ECC is not a foolproof mitigation against GPUBreach.” Related: Rowhammer Attack Demonstrated Against DDR5 Related: Intel, AMD Processors Affected by PCIe Vulnerabilities Related: Google-Intel Security Audit Reveals Severe TDX Vulnerability Allowing Full Compromise Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs T-Mobile Sets the Record Straight on Latest Data Breach FilingApple Rolls Out DarkSword Exploit Protection to More DevicesCybersecurity M&A Roundup: 38 Deals Announced in March 2026Toy Giant Hasbro Hit by CyberattackExploited Zero-Day Among 21 Vulnerabilities Patched in ChromeFBI Warns of Data Security Risks From China-Made Mobile AppsGoogle Addresses Vertex Security Issues After Researchers Weaponize AI AgentsCensys Raises $70 Million for Internet Intelligence Platform Latest News Medusa Ransomware Fast to Exploit Vulnerabilities, Breached SystemsGerman Police Unmask REvil Ransomware LeaderWhite House Seeks to Slash CISA Funding by $707 MillionWynn Resorts Says 21,000 Employees Affected by ShinyHunters HackGoogle DeepMind Researchers Map Web Attacks Against AI AgentsGuardarian Users Targeted With Malicious Strapi NPM PackagesNorth Korean Hackers Target High-Profile Node.js MaintainersFortinet Rushes Emergency Fixes for Exploited Zero-Day Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — GPUBreach
• malware — GPUHammer

Entities