Rowhammer attacks on NVIDIA GPUs enable full system compromise when IOMMU is disabled

Two research teams working independently disclosed rowhammer attacks that exploit NVIDIA Ampere-generation GPUs to achieve full system compromise. By inducing bit flips in GDDR memory, attackers can corrupt GPU page table structures, gaining arbitrary read and write access to CPU memory and escalating privileges on the host machine. The first attack, termed GDDRHammer, targets the last-level page table; the second, GeForce, manipulates the page directory instead. Both achieve the same outcome: unrestricted host system access.

The attacks depend on a permissive default configuration: IOMMU memory management must be disabled in BIOS settings. A subsequent disclosure revealed a third variant that circumvents this requirement entirely, functioning on RTX A6000 cards even when IOMMU is enabled. This third attack chain successfully escalated to a root shell, indicating the vulnerability is not confined to specific configurations.

The practical impact varies by target GPU. GeForce induced 1,171 bit flips against RTX 3060 cards and 202 against RTX 6000 models, each sufficient to compromise the system. Both papers demonstrate proof-of-concept exploits that execute arbitrary commands with elevated privileges, confirming the attacks move beyond theoretical threat to demonstrated feasibility.

The disclosures extend the known threat model for rowhammer attacks from CPUs to GPU-accelerated systems. Unlike software-level security measures, bit-flip exploits operate at a fundamental hardware level, below conventional stack-based defenses. The attacks require no special user privileges—only the ability to execute code or access the GPU, making them relevant to multi-tenant cloud environments and systems with untrusted workloads.