A new attack called GPUBreach can trigger Rowhammer bit flips in GDDR6 GPU memory and escalate an unprivileged CUDA kernel to a full system compromise, according to a technical analysis from the University of Toronto. The researchers said they will present full details at the IEEE Symposium on Security & Privacy in Oakland on April 13.
KEY FACTS
- Target GDDR6 GPU memory on NVIDIA RTX A6000 hardware.
- Effect Bit flips can corrupt GPU page tables and enable arbitrary GPU memory read and write access.
- Escalation The report says the attack can be chained into CPU-side privilege escalation through NVIDIA driver memory-safety bugs.
- Protection gap IOMMU does not stop the attack, and consumer GPUs without ECC are described as completely unmitigated.
The researchers said they reported the findings to NVIDIA, Google, AWS and Microsoft on November 11, 2025. Google acknowledged the report and awarded a $600 bug bounty, while NVIDIA said it may update an existing security notice to include the newly discovered attack possibilities.
GPUBreach builds on the team’s earlier GPUHammer work, which showed that Rowhammer attacks on GPUs were practical. In this case, the disclosure says the attack can move beyond data corruption and reach root privileges without disabling IOMMU.
The researchers used an NVIDIA RTX A6000 with GDDR6 to demonstrate the technique, a model that is common in AI development and training. NVIDIA told BleepingComputer that enterprise users should enable System Level Error-Correcting Codes, which are on by default for Hopper and Blackwell data center GPUs.
WHY IT MATTERS
The findings suggest that hardware protections such as IOMMU alone may not be enough if GPU memory corruption can affect trusted driver state. For affected systems, the practical risk is not only data corruption but potential full-system compromise.