Rowhammer Attack Against NVIDIA Chips - Schneier on Security
Rowhammer attacks on NVIDIA Ampere GPUs enable full system compromise via GDDR bitflips.
Summary
Two independent research teams demonstrated rowhammer attacks against NVIDIA Ampere generation GPUs that exploit GDDR memory bit flips to gain complete control of host CPU memory and achieve full system compromise. The attacks work when IOMMU memory management is disabled (the default BIOS setting), and a third attack variant also works with IOMMU enabled on RTX A6000 cards. The exploits use novel hammering patterns and memory manipulation techniques to corrupt GPU page table mappings, ultimately granting attackers root-level access to the host machine.
Full text
Rowhammer Attack Against NVIDIA Chips A new rowhammer attack gives complete control of NVIDIA CPUs. On Thursday, two research teams, working independently of each other, demonstrated attacks against two cards from Nvidia’s Ampere generation that take GPU rowhammering into new—and potentially much more consequential—territory: GDDR bitflips that give adversaries full control of CPU memory, resulting in full system compromise of the host machine. For the attack to work, IOMMU memory management must be disabled, as is the default in BIOS settings. “Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well,” said Andrew Kwong, co-author of one of the papers. “GDDRHammer: Greatly Disturbing DRAM RowsCross-Component Rowhammer Attacks from Modern GPUs.” “With our work, we… show how an attacker can induce bit flips on the GPU to gain arbitrary read/write access to all of the CPU’s memory, resulting in complete compromise of the machine.” Update Friday, April 3: On Friday, researchers unveiled a third Rowhammer attack that also demonstrates Rowhammer attacks on the RTX A6000 that achieves privilege escalation to a root shell. Unlike the previous two, the researchers said, it works even when IOMMU is enabled. The second paper is GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit: …does largely the same thing, except that instead of exploiting the last-level page table, as GDDRHammer does, it manipulates the last-level page directory. It was able to induce 1,171 bitflips against the RTX 3060 and 202 bitflips against the RTX 6000. GeForge, too, uses novel hammering patterns and memory massaging to corrupt GPU page table mappings in GDDR6 memory to acquire read and write access to the GPU memory space. From there, it acquires the same privileges over host CPU memory. The GeForge proof-of-concept exploit against the RTX 3060 concludes by opening a root shell window that allows the attacker to issue commands that run unfettered privileges on the host machine. The researchers said that both GDDRHammer and GeForge could do the same thing against the RTC 6000. Tags: academic papers, cyberattack, hacking, hardware Posted on May 6, 2026 at 6:36 AM • 9 Comments