New GPUBreach attack enables system takeover via GPU rowhammer
GPUBreach attack exploits GPU rowhammer to enable privilege escalation and full system compromise.
Summary
Researchers at the University of Toronto have discovered GPUBreach, a new attack that exploits rowhammer bit-flips in GPU GDDR6 memory to corrupt GPU page tables and escalate privileges to root without disabling IOMMU protection. The attack chains GPU memory access exploits with memory-safety bugs in NVIDIA drivers, demonstrated on RTX A6000 GPUs commonly used in AI workloads. Full technical details will be presented at IEEE S&P on April 13, 2026, with mitigations currently unavailable for consumer GPUs without ECC memory.
Full text
New GPUBreach attack enables system takeover via GPU rowhammer By Bill Toulas April 6, 2026 05:44 PM 0 A new attack, dubbed GPUBreach, can induce Rowhammer bit-flips on GPU GDDR6 memories to escalate privileges and lead to a full system compromise. GPUBreach was developed by a team of researchers at the University of Toronto, and full details will be presented at the upcoming IEEE Symposium on Security & Privacy on April 13 in Oakland. The researchers demonstrated that Rowhammer-induced bit flips in GDDR6 can corrupt GPU page tables (PTEs) and grant arbitrary GPU memory read/write access to an unprivileged CUDA kernel. An attacker may then chain this into a CPU-side escalation by exploiting memory-safety bugs in the NVIDIA driver, potentially leading to complete system compromise without the need to disable Input-Output Memory Management Unit (IOMMU) protection. GPUBreach attack stepsSource: University of Toronto IOMMU is a hardware unit that protects against direct memory attacks. It controls and restricts how devices access memory by managing which memory regions are accessible to each device. Despite being an effective measure against most direct memory access (DMA) attacks, IOMMU does not stop GPUBreach. “GPUBreach shows that GPU Rowhammer attacks can move beyond data corruption to real privilege escalation,” the researchers explain. “By corrupting GPU page tables, an unprivileged CUDA kernel can gain arbitrary GPU memory read/write, and then chain that capability into CPU-side escalation by exploiting newly discovered memory-safety bugs in the NVIDIA driver.” “The result is system-wide compromise up to a root shell, without disabling IOMMU, unlike contemporary works, making GPUBreach a more potent threat.” Overview of how GPUBreach worksSource: University of Toronto The same researchers previously demonstrated GPUHammer, the first attack showing that Rowhammer attacks on GPUs are practical, prompting NVIDIA to issue a warning to users and suggesting the activation of the System Level Error-Correcting Code mitigation to block such attempts on GDDR6 memory. However, GPUBreach is taking the threat to the next level, showing that it is possible not only to corrupt data but also to gain root privileges with IOMMU enabled. The researchers exemplified the results with an NVIDIA RTX A6000 GPU with GDDR6. This model is widely used in AI development and training workloads. Comparison to other GPU attacksSource: University of Toronto Disclosure and mitigations The University of Toronto researchers reported their findings to NVIDIA, Google, AWS, and Microsoft on November 11, 2025. Google acknowledged the report and awarded the researchers a $600 bug bounty. NVIDIA stated that it may update its existing security notice from July 2025 to include the newly discovered attack possibilities. As demonstrated by the researchers, IOMMU alone is insufficient if GPU-controlled memory can corrupt trusted driver state, so users at risk should rely solely on that security measure. Error Correcting Code (ECC) memory helps correct single-bit flips and detect double-bit flips, but it is not reliable against multi-bit flips. Ultimately, the researchers underlined that GPUBreach is completely unmitigated for consumer GPUs without ECC. The researchers will publish the full details of their work, including a technical paper and a GitHub repository with the reproduction package and scripts, on April 13. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: CISA orders feds to patch exploited Fortinet EMS flaw by FridayGIGABYTE Control Center vulnerable to arbitrary file write flawMax severity Ubiquiti UniFi flaw may allow account takeoverFCC bans new routers made outside the USA over security risksConnectWise patches new flaw allowing ScreenConnect hijacking
Indicators of Compromise
- malware — GPUBreach
- malware — GPUHammer