Skip to main content
graphwiz.aigraphwiz.ai
← Back to Posts

GPUBreach: Rowhammer Attacks Cross the GPU-CPU Boundary

SecurityHardware
rowhammergpunvidiaprivilege-escalationgpubreachhardware-securityiommu

Rowhammer has been a known class of DRAM attacks for over a decade. The mechanism is straightforward: repeatedly accessing a row of memory cells causes electrical charge to leak into adjacent rows, flipping bits from 0 to 1 or vice versa. What changes with GPUBreach, presented at IEEE S&P 2026 in Oakland, is the attack surface. For the first time, Rowhammer has been used to achieve full privilege escalation from a GPU across the PCIe bus into CPU memory, bypassing the IOMMU protections that were designed to prevent exactly this.

How GPUBreach works

The attack chain exploits the convergence of three capabilities that modern GPUs provide: large GDDR6 memory arrays (which use the same DRAM technology as system RAM), direct memory access (DMA) over PCIe, and programmable page tables that map GPU virtual addresses to physical memory.

<svg viewBox="0 0 460 300" xmlns="http://www.w3.org/2000/svg" style="width:100%;max-width:460px;margin:1.5rem auto;display:block;font-family:system-ui,sans-serif"> <rect x="0" y="0" width="460" height="300" rx="8" fill="var(--background-secondary)"/> <text x="230" y="20" text-anchor="middle" fill="var(--foreground)" font-size="12" font-weight="600">GPUBreach Attack Chain</text> <!-- Step 1: GPU --> <rect x="20" y="35" width="180" height="44" rx="6" fill="var(--background)" stroke="var(--foreground-secondary)" stroke-width="1"/> <text x="110" y="52" text-anchor="middle" fill="var(--foreground)" font-size="10" font-weight="600">1. Rowhammer on GDDR6</text> <text x="110" y="68" text-anchor="middle" fill="var(--foreground-secondary)" font-size="8">Bit-flip GPU page table entries</text> <!-- Arrow --> <line x1="110" y1="79" x2="110" y2="98" stroke="var(--accent)" stroke-width="1.5" marker-end="url(#arr4)"/> <!-- Step 2: IOMMU bypass --> <rect x="20" y="100" width="180" height="44" rx="6" fill="#d32f2f" opacity="0.1" stroke="#d32f2f" stroke-width="1.5"/> <text x="110" y="117" text-anchor="middle" fill="#d32f2f" font-size="10" font-weight="600">2. IOMMU Bypass</text> <text x="110" y="133" text-anchor="middle" fill="var(--foreground-secondary)" font-size="8">Corrupted mappings evade translation</text> <!-- X mark --> <text x="215" y="120" fill="#d32f2f" font-size="16" font-weight="700">✕</text> <text x="232" y="118" fill="var(--foreground-secondary)" font-size="7">IOMMU</text> <text x="232" y="130" fill="var(--foreground-secondary)" font-size="7">protections</text> <!-- Arrow --> <line x1="110" y1="144" x2="110" y2="163" stroke="var(--accent)" stroke-width="1.5" marker-end="url(#arr4)"/> <!-- Step 3: DMA --> <rect x="20" y="165" width="180" height="44" rx="6" fill="var(--background)" stroke="var(--foreground-secondary)" stroke-width="1"/> <text x="110" y="182" text-anchor="middle" fill="var(--foreground)" font-size="10" font-weight="600">3. DMA to CPU Memory</text> <text x="110" y="198" text-anchor="middle" fill="var(--foreground-secondary)" font-size="8">Arbitrary write via PCIe bus</text> <!-- Arrow --> <line x1="110" y1="209" x2="110" y2="228" stroke="var(--accent)" stroke-width="1.5" marker-end="url(#arr4)"/> <!-- Step 4: CPU root --> <rect x="20" y="230" width="180" height="44" rx="6" fill="#d32f2f" opacity="0.15" stroke="#d32f2f" stroke-width="2"/> <text x="110" y="247" text-anchor="middle" fill="#d32f2f" font-size="10" font-weight="600">4. CPU Page Table Corruption</text> <text x="110" y="263" text-anchor="middle" fill="var(--foreground-secondary)" font-size="8">Full root privilege escalation</text> <!-- Side panel: context --> <rect x="270" y="35" width="170" height="240" rx="6" fill="var(--background)" stroke="var(--foreground-secondary)" stroke-width="0.5"/> <text x="355" y="55" text-anchor="middle" fill="var(--foreground)" font-size="10" font-weight="600">Key Facts</text> <text x="280" y="78" fill="var(--foreground-secondary)" font-size="8">Venue: IEEE S&amp;P 2026</text> <text x="280" y="96" fill="var(--foreground-secondary)" font-size="8">GPU: NVIDIA RTX A6000</text> <text x="280" y="114" fill="var(--foreground-secondary)" font-size="8">Bounty: $600 (Google)</text> <text x="280" y="132" fill="var(--foreground-secondary)" font-size="8">Memory: GDDR6 (Ampere)</text> <text x="280" y="158" fill="var(--foreground)" font-size="9" font-weight="600">Consumer Impact</text> <text x="280" y="176" fill="var(--foreground-secondary)" font-size="8">Consumer Ampere GPUs</text> <text x="280" y="190" fill="var(--foreground-secondary)" font-size="8">likely affected.</text> <text x="280" y="204" fill="var(--foreground-secondary)" font-size="8">No ECC = no mitigation.</text> <text x="280" y="230" fill="var(--foreground)" font-size="9" font-weight="600">Cloud Risk</text> <text x="280" y="248" fill="var(--foreground-secondary)" font-size="8">Multi-tenant GPU</text> <text x="280" y="262" fill="var(--foreground-secondary)" font-size="8">environments exposed.</text> <defs><marker id="arr4" viewBox="0 0 10 10" refX="10" refY="5" markerWidth="6" markerHeight="6" orient="auto"><path d="M 0 0 L 10 5 L 0 10 z" fill="var(--accent)"/></marker></defs> </svg>

Step 1: Bit-flipping GPU page tables

The attacker runs a standard Rowhammer pattern on GDDR6 memory from within a CUDA application. The target is not user data but the GPU's own page table entries. When a page table entry is flipped, the GPU's virtual address now maps to a different physical address than intended.

Step 2: Bypassing the IOMMU

The Input-Output Memory Management Unit (IOMMU) is supposed to prevent a device from accessing memory outside its assigned regions. GPUBreach circumvents this because the Rowhammer-induced corruption occurs within memory regions the IOMMU has already authorised for the GPU. The corrupted page table entries point to physical addresses that are technically within the GPU's DMA window, but they map to CPU page table entries rather than GPU data buffers.

Step 3: DMA writes to CPU memory

With the corrupted page table in place, the GPU's DMA engine writes to CPU physical memory. The attacker controls what data is written and where. The target is the CPU's page table entries for the current process.

Step 4: Privilege escalation

By overwriting CPU page table entries, the attacker maps their process's memory pages with kernel-level permissions. The result is full root access on the CPU, achieved entirely from the GPU side of the PCIe bus.

Why GPUs change the equation

Rowhammer on system RAM is well-understood, and mitigations exist: ECC memory can detect and correct single-bit flips, and memory controllers can implement targeted row refresh. GPUs introduce a new dimension because GDDR6 uses the same underlying DRAM technology but operates behind a DMA engine that the CPU memory controller cannot refresh.

NVIDIA's RTX A6000 workstation GPU was confirmed vulnerable in the paper. Consumer Ampere-series GPUs (RTX 3090, 3080, and similar) use the same GDDR6 memory and are likely affected, though the researchers did not explicitly test consumer cards. The critical gap: consumer GPUs do not support ECC. Enterprise data centre GPUs (A100, H100) include ECC and are partially mitigated, but the attack may still be feasible through multi-bit flips that overwhelm single-error correction.

Cloud implications

The most severe implications are for multi-tenant GPU cloud environments. AWS, Google Cloud, and Azure all offer GPU instances where multiple virtual machines share physical GPU hardware. If a tenant can execute arbitrary CUDA code on a shared GPU, the GPUBreach attack chain allows them to escape the GPU boundary and gain root access on the host system, potentially compromising every tenant on that host.

Google awarded a $600 bug bounty for the disclosure. No CVE has been assigned for consumer GPUs, and no software mitigation exists for hardware that lacks ECC.

The broader picture

GPUBreach is not an isolated finding. It sits within a growing body of research that treats hardware accelerators as attack surfaces rather than trusted peripherals. As GPUs, TPUs, and other accelerators gain more direct memory access and more programmable memory controllers, the attack surface will only expand. The fix ultimately lies in hardware: memory controllers that can detect and refresh Rowhammered regions in GDDR, and IOMMU implementations that validate not just the DMA window but the semantic correctness of page table entries.

For now, organisations running untrusted CUDA workloads on shared GPU infrastructure should treat this as an unpatched privilege escalation vulnerability. The research paper and technical details are available at gpubreach.ca.