"Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well," said Andrew Kwong, co‑author of one of the papers describing the attack.
Two independent teams turn GPU Rowhammer into full system compromise
On Thursday, two research teams—working independently—published proofs of concept showing that Rowhammer-style faults in GDDR memory on Nvidia Ampere‑generation cards can be weaponized to flip bits that ultimately give adversaries arbitrary read/write access to CPU memory and "complete compromise of the machine." The demonstrations target GDDR6 on consumer and data‑class Ampere cards and rely on inducing bitflips in GPU memory structures that map into the host system.
GDDRHammer: "Greatly Disturbing DRAM RowsCross-Component Rowhammer Attacks from Modern GPUs"
One paper, titled "GDDRHammer: Greatly Disturbing DRAM RowsCross-Component Rowhammer Attacks from Modern GPUs," shows how attackers can use GPU rowhammering to corrupt the GPU's last‑level page table. According to the authors, those corrupted page tables enable arbitrary read/write access to all of the CPU's memory, producing a full system compromise when the attack succeeds. The published description emphasizes cross‑component impact: bitflips induced in GDDR memory are converted into control over host memory mappings.
GeForge: forging GPU page directories to reach the host
The second paper, "GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit," pursues a closely related but technically distinct path. Rather than targeting the last‑level page table as GDDRHammer does, GeForge manipulates the last‑level page directory. The authors report inducing 1,171 bitflips against an RTX 3060 and 202 bitflips against an RTX 6000. GeForge's technique corrupts GPU page table mappings in GDDR6 to acquire read/write access to the GPU memory space, and from there the exploit acquires the same privileges over host CPU memory. The GeForge proof‑of‑concept against the RTX 3060 concludes by opening a root shell window that allows the attacker to issue commands with unfettered privileges on the host machine. The researchers also stated that both GDDRHammer and GeForge could do the same thing against the RTC 6000.
Third demonstration: RTX A6000, root shell, and an IOMMU exception
An update on Friday, April 3, reported a third Rowhammer demonstration against an RTX A6000 that achieves privilege escalation to a root shell. Critically, researchers said this third attack works even when IOMMU is enabled—an important distinction from the first two public demonstrations.
The original demonstrations require IOMMU memory management to be disabled for the attack to succeed; the writeup notes that IOMMU is disabled by default in many BIOS settings. That default setting is central to how the first two exploits convert GPU‑side faults into host memory corruption.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: The published proofs of concept show new attack paths that convert GDDR6 bitflips into host memory compromise by corrupting GPU page structures. Teams responsible for servers and workstations that pair CPUs with Ampere‑generation GPUs will need to monitor these proofs of concept and any vendor mitigations, given the researchers' demonstrations of arbitrary read/write to CPU memory and root shells.
- Procurement and enterprise purchasers: The demonstrations name specific cards—RTX 3060, RTX 6000, and RTX A6000—when describing successful exploits. Procurement reviews of existing and planned purchases that include Ampere‑generation cards may need to consider those models in light of published proofs of concept.
- End users and administrators: The public accounts note that the first two attacks require IOMMU to be disabled and that IOMMU is commonly disabled by default in BIOS settings. That configuration detail is highlighted in the papers and the reporting as a factor that enables the cross‑component compromises described.
The trio of demonstrations moves Rowhammer from a CPU‑side footnote into a cross‑component capability with immediate implications: GDDR6 bitflips can be weaponized to alter GPU page mappings and, through them, seize control of host memory and privileges. The April 3 demonstration that achieves a root shell even with IOMMU enabled raises a direct question left by the record of published proofs: will system vendors, BIOS maintainers, and GPU platform developers change defaults or add mitigations to block or detect these exploit paths? The published work makes clear the technical route; how quickly and thoroughly platforms respond remains to be seen.




