Researchers at the University of Toronto have developed a new attack called GPUBreach that induces bit flips on GDDR6 memory to escalate privileges and achieve complete system takeover. The attack corrupts GPU page tables, granting unprivileged CUDA kernels arbitrary memory access, which can then be chained with memory-safety bugs in NVIDIA drivers for CPU-side escalation. Unlike previous Rowhammer demonstrations, GPUBreach succeeds without disabling IOMMU protection, making it a more potent threat.
The researchers previously demonstrated GPUHammer, proving Rowhammer attacks on GPUs were practical, but GPUBreach advances this by enabling root privilege escalation. The attack was exemplified on an NVIDIA RTX A6000 GPU widely used in AI development and training workloads. Findings were reported to NVIDIA, Google, AWS, and Microsoft in November 2025, with Google awarding a $600 bug bounty.
NVIDIA indicated it may update its July 2025 security notice to address the newly discovered attack vectors. Error Correcting Code memory helps correct single-bit flips but is unreliable against multi-bit flips, and consumer GPUs without ECC remain completely unmitigated. The researchers will present full technical details and a GitHub reproduction package at the IEEE Symposium on Security & Privacy on April 13. NVIDIA recommends enabling System Level Error-Correcting Codes for enterprise environments, which is default on Hopper and Blackwell data center GPUs.
Read more...