GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack

A team of researchers from the University of Toronto has discovered a new Rowhammer attack that threat actors can use to escalate privileges. The Rowhammer technique, a hardware vulnerability known for more than a decade, works by repeatedly accessing — or “hammering” — a specific row of DRAM memory cells. This rapid activity can generate electrical interference that causes bit flips in neighboring memory regions. Over the years, researchers have shown that Rowhammer attacks can be exploited to enable privilege escalation, unauthorized data access, data corruption, and breaches of memory isolation in virtualized environments. Until recently, however, such attacks had been limited to CPUs and traditional CPU-based memory. With GPUs playing an increasingly critical role in AI and machine learning workloads, a team from the University of Toronto last year successfully demonstrated a Rowhammer-style attack targeting the memory of an Nvidia GPU.  They showed how the attack, dubbed GPUHammer, can induce bit flips that significantly degrade the accuracy of deep neural network (DNN) models, including ImageNet-trained models used for visual object recognition.  The researchers behind GPUHammer, assisted by several others, have now demonstrated that GPU Rowhammer attacks can be used for more than just disruption. Their new attack, named GPUBreach, shows that attackers can induce GDDR6 bit flips that corrupt GPU page tables, enabling arbitrary read-write access to memory.  In combination with new memory-safety bugs in Nvidia drivers, the researchers showed that GPUBreach can be used for CPU-side privilege escalation, ultimately achieving root shell privileges and full system compromise. The attack can pose a significant threat to cloud environments, where multiple users share the same physical GPU.  Conducting an attack does not require physical/local hardware access to the targeted system, but the attacker does need to have code execution privileges on the GPU — this can be any user with permissions to use the GPU.  The researchers reported their findings to Nvidia in November 2025, and the chip giant said it may update its previous Rowhammer security notice with information from the new research project.  Due to potential cloud impact, Microsoft, AWS, and Google have also been notified, and Google has paid out a $600 bounty for the findings.  “As with other Rowhammer attacks, ECC can be helpful as a mitigation, since it can correct single-bit flips and detect double-bit flips,” the researchers explained.  “On server and workstation GPUs (e.g., RTX A6000), we advise enabling ECC as per the NVIDIA security notice,” they added. “However, if attack patterns induce more than two bit flips (shown feasible on DDR4 and DDR5 systems), existing ECC cannot correct these and may even cause silent data corruption; so ECC is not a foolproof mitigation against GPUBreach.” Related: Rowhammer Attack Demonstrated Against DDR5 Related: Intel, AMD Processors Affected by PCIe Vulnerabilities Related: Google-Intel Security Audit Reveals Severe TDX Vulnerability Allowing Full Compromise WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs T-Mobile Sets the Record Straight on Latest Data Breach Filing Apple Rolls Out DarkSword Exploit Protection to More Devices Cybersecurity M&A Roundup: 38 Deals Announced in March 2026 Toy Giant Hasbro Hit by Cyberattack Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome FBI Warns of Data Security Risks From China-Made Mobile Apps Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents Censys Raises $70 Million for Internet Intelligence Platform Latest News Medusa Ransomware Fast to Exploit Vulnerabilities, Breached Systems German Police Unmask REvil Ransomware Leader White House Seeks to Slash CISA Funding by $707 Million Wynn Resorts Says 21,000 Employees Affected by ShinyHunters Hack Google DeepMind Researchers Map Web Attacks Against AI Agents Guardarian Users Targeted With Malicious Strapi NPM Packages North Korean Hackers Target High-Profile Node.js Maintainers Fortinet Rushes Emergency Fixes for Exploited Zero-Day Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea. Kai has named Nick Degnan as Chief Revenue Officer. Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind. More People On The Move Expert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Email