Researchers from the University of Toronto have published details of GPUBreach, a novel attack technique that exploits Rowhammer bit-flips in GPU GDDR6 memory to escalate privileges from an unprivileged GPU context to root on the host CPU — achieving complete system compromise without needing physical access or disabling hardware isolation protections.
The findings represent a significant advance in hardware security research, demonstrating that GPU memory is vulnerable to the same class of fault-injection attacks previously associated with CPU DRAM — and that those attacks can be weaponized to escape GPU isolation entirely.
What Is Rowhammer?
Rowhammer is a class of hardware attack discovered in 2014 that exploits a physical characteristic of DRAM memory: repeatedly accessing (hammering) rows of memory cells at high frequency can cause charge leakage that flips bits in adjacent, unaccessed rows. By carefully engineering which bits flip, attackers can corrupt critical data structures such as page table entries to gain unauthorized memory access.
GPUBreach applies this concept to GDDR6 memory — the high-bandwidth graphics memory used in modern discrete GPUs — demonstrating that the phenomenon is not limited to CPU-attached RAM.
The GPUBreach Attack Chain
The GPUBreach attack operates in three distinct stages:
Stage 1: Inducing GDDR6 Bit-Flips via Rowhammer
Researchers developed a CUDA-based hammering kernel that repeatedly accesses specific memory rows in GPU GDDR6 at the frequency required to induce bit-flips in adjacent rows. The hammering pattern is engineered to target GPU page table entries (PTEs) — the data structures that define which physical memory addresses a GPU process is permitted to access.
Stage 2: Exploiting Corrupted PTEs for Arbitrary GPU Memory Access
Once a targeted bit-flip occurs in a GPU PTE, an unprivileged CUDA process gains the ability to read and write arbitrary GPU memory — including memory regions belonging to other processes or the GPU driver. This breaks the isolation model that GPU virtualization and multi-tenant environments depend upon.
Stage 3: Escalating to Host CPU Root via NVIDIA Driver Bugs
The final and most impactful stage exploits previously undiscovered memory-safety vulnerabilities in the NVIDIA GPU driver to translate arbitrary GPU memory access into root-level privilege escalation on the host CPU. The result is complete system compromise: an attacker who begins with an unprivileged CUDA context ends with unrestricted control of the underlying machine.
Why This Is Significant: IOMMU Bypass
A critical aspect of GPUBreach is its ability to achieve privilege escalation without disabling the IOMMU (Input-Output Memory Management Unit) — the hardware component that enforces memory isolation between devices and the host system, and that is considered a primary defense against DMA-class attacks.
Prior GPU-based attacks typically required circumventing or disabling IOMMU protections — a prerequisite that most modern systems make difficult. GPUBreach's architecture bypasses the need entirely, significantly expanding the realistic attack surface.
Affected Hardware and Mitigation Gaps
The researchers validated GPUBreach on the NVIDIA RTX A6000 — a GPU widely deployed in AI research, machine learning workloads, and professional computing environments. The attack methodology is applicable to any system using GDDR6 memory without sufficient ECC (Error Correcting Code) protection.
The mitigation landscape is deeply concerning:
- Consumer GPUs — which typically lack ECC memory — are completely unmitigated against GPUBreach. No hardware fix is available.
- ECC-enabled GPUs provide only partial protection: ECC corrects single-bit errors and detects double-bit errors, but sophisticated Rowhammer patterns can exploit multi-bit flip scenarios that ECC does not fully address.
- IOMMU does not protect against this attack at all, eliminating a commonly assumed defense layer.
NVIDIA has indicated it may update a security notice originally published in July 2025 to reflect the GPUBreach findings but has not committed to a comprehensive hardware or driver mitigation timeline.
Disclosure and Recognition
The vulnerability was responsibly disclosed on November 11, 2025 to NVIDIA, Google, Amazon Web Services (AWS), and Microsoft — all of whom operate large-scale GPU infrastructure for cloud computing and AI workloads.
Google acknowledged the disclosure and awarded a $600 bug bounty. Full technical details of GPUBreach — including the precise hammering patterns, bit-flip engineering techniques, and driver exploitation methodology — are scheduled to be presented at the IEEE Symposium on Security and Privacy (Oakland 2026) on April 13, 2026.
Implications for AI and Cloud Infrastructure
The timing of GPUBreach's disclosure is particularly significant given the explosive growth of GPU-accelerated AI workloads in multi-tenant cloud environments. Cloud providers operate environments in which multiple customers share physical GPU hardware — an architecture that could theoretically allow a malicious tenant to use GPUBreach to access the GPU memory of co-located workloads or escalate to host-level access.
Security researchers and cloud providers are urgently evaluating whether existing GPU isolation architectures sufficiently defend against Rowhammer-class attacks on GDDR6 memory, and whether the NVIDIA driver vulnerabilities identified by the University of Toronto researchers have been fully patched in cloud-deployed GPU stacks.
Until a comprehensive fix is available, organizations operating sensitive workloads on GPU hardware — particularly in shared or multi-tenant environments — should consider this a live risk requiring architectural review.
Sources: BleepingComputer, University of Toronto Research, NVIDIA Security Advisory