GPU-Based Rowhammer Attacks: New Threats to NVIDIA Systems and Host Memory

Introduction: Rowhammer Goes Beyond CPUs

Rowhammer attacks, long studied as a vulnerability in CPU memory, have now escalated to a new front: graphics processing units (GPUs). Recent independent research has demonstrated that modern NVIDIA GPUs from the Ampere generation can be exploited via Rowhammer techniques to gain complete control over host CPU memory, leading to full system compromise. These findings highlight a significant expansion of the attack surface, where malicious code running on the GPU can break out of its sandbox and affect the entire machine.

GDDRHammer: Cross-Component Attacks via GDDR Memory

One team, including researcher Andrew Kwong, published a paper titled GDDRHammer: Greatly Disturbing DRAM Rows – Cross-Component Rowhammer Attacks from Modern GPUs. Their attack exploits bit flips in the GDDR6 memory of NVIDIA cards, specifically the RTX 3060 and RTX A6000. By inducing precise bit flips, the attacker can corrupt the last-level page table used by the GPU to manage memory permissions. This gives the attacker arbitrary read/write access to all CPU memory, effectively taking over the host system.

However, the attack requires that the IOMMU (Input-Output Memory Management Unit) is disabled, which is the default in most BIOS settings. This configuration oversight makes many systems vulnerable out of the box.

GeForge: Forging Page Tables for Privilege Escalation

Simultaneously, another research team unveiled a separate attack called GeForge, detailed in their paper Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit. Instead of targeting the last-level page table, GeForge manipulates the last-level page directory. Using novel hammering patterns and memory massaging, the researchers induced 1,171 bit flips on an RTX 3060 and 202 bit flips on an RTX 6000. These flips corrupt GPU page table mappings, allowing the attacker to read and write any GPU memory space. From there, the same privileges over host CPU memory are achieved.

The proof-of-concept exploit for GeForge culminates in opening a root shell window on the host machine, granting unfettered command execution. The researchers state that the same approach works against both the RTX 3060 and RTX A6000.

Third Attack: Bypassing IOMMU Protection

In an update, a third Rowhammer attack was revealed that specifically targets the RTX A6000. Unlike the previous two, this attack works even when the IOMMU is enabled. It achieves privilege escalation to a root shell, demonstrating that even with memory protection enabled, GPU Rowhammer remains a threat. This marks a critical development, as IOMMU is often considered a defense against DMA-based attacks.

Implications and Mitigations

These findings underscore that Rowhammer is no longer just a CPU concern. GPUs, with their high-performance memory and parallel processing capabilities, are now viable vectors for system compromise. The attacks require no physical access; they can be executed remotely if an attacker can run code on the GPU (e.g., via JavaScript in a browser or through malicious applications).

Manufacturers and users must take note. For NVIDIA, ensuring that the IOMMU is enabled can block the first two attacks, but the third shows that may not be sufficient. Potential mitigations include memory error-correcting codes (ECC), stricter memory access controls, and hardware-level defenses against Rowhammer in GDDR memory. Until patches or hardware revisions arrive, organizations should consider disabling GPU features that allow direct memory access from untrusted code and enforce IOMMU always-on policies.

Conclusion

The new Rowhammer attacks against NVIDIA's Ampere GPUs represent a significant leap in cross-component exploitation. As GPUs become more integrated into computing ecosystems—from gaming to AI—the security of their memory subsystems must be prioritized. The research community has demonstrated that with careful exploitation, a graphics card can become a stepping stone to full system takeover. It is now up to hardware vendors and system administrators to close these doors before they are widely exploited in the wild.