GPUBreach can turn a GPU Rowhammer flaw into full system compromise and a root shell

A new academic attack called GPUBreach shows that GPU Rowhammer can do far more than corrupt AI workloads. Researchers from the University of Toronto say it can escalate from targeted bit flips in GDDR6 memory to arbitrary GPU memory access, then chain into CPU-side privilege escalation that ends with a root shell.

The work will appear at the 47th IEEE Symposium on Security and Privacy in May 2026. The paper is listed in the conference program as “GPUBreach: Privilege Escalation Attacks on GPUs using Rowhammer,” and the authors say they responsibly disclosed the findings to NVIDIA, Google, AWS, and Microsoft in November 2025.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

What makes GPUBreach stand out is the IOMMU bypass path. The researchers say earlier GPU Rowhammer work could corrupt data or, in some cases, reach CPU memory only when IOMMU protections were disabled. GPUBreach instead abuses trusted NVIDIA driver buffers that the IOMMU already allows, then triggers driver memory-safety bugs to gain kernel-level control on the CPU side.

How GPUBreach works

The attack starts on the GPU side. The researchers say they can use Unified Virtual Memory allocation behavior to place GPU page tables near flippable GDDR6 rows, then trigger targeted bit flips that corrupt page table entries. Once that happens, an unprivileged CUDA kernel can gain arbitrary read and write access across GPU memory.

From there, the attack crosses into the host system. According to the project site, the compromised GPU uses DMA into CPU memory regions that remain permitted by the IOMMU because they belong to the NVIDIA driver itself. By corrupting metadata in those trusted buffers, the attack causes out-of-bounds writes in the kernel driver and turns that into an arbitrary kernel write primitive.

That final step is what makes the finding more serious than a typical AI integrity issue. The researchers say the exploit can spawn a root shell even when the IOMMU stays enabled, which matters because IOMMU protection remains a standard baseline defense against DMA attacks on modern systems. Microsoft’s own documentation describes DMA remapping and Kernel DMA Protection as defenses against malicious DMA and memory corruption.

Why researchers see this as a bigger leap

The team compares GPUBreach to two concurrent studies, GDDRHammer and GeForge, which will also appear at IEEE S&P 2026. All three show that GPU Rowhammer can corrupt GPU page tables and achieve arbitrary GPU memory access, but GPUBreach claims the strongest CPU-side result because it reaches a root shell without requiring the IOMMU to be turned off.

The project page says GDDRHammer can access limited CPU memory through aperture bits but does not achieve CPU privilege escalation. GeForge can reach CPU privilege escalation, but the comparison table published by the GPUBreach team says that path requires IOMMU protections to be disabled.

The paper also highlights non-root consequences. On the GPU side, the researchers say the attack can support cross-process access, steal post-quantum cryptographic keys from NVIDIA cuPQC workloads, leak sensitive LLM weights, and drive machine learning accuracy from 80% to 0% by tampering with one branch in cuBLAS code stored in GPU memory.

Key facts at a glance

What systems appear most exposed

The researchers focus on NVIDIA GPUs with GDDR6 memory. NVIDIA’s July 2025 Rowhammer notice also discussed a demonstrated Rowhammer attack on an NVIDIA A6000 with GDDR6 and recommended mitigations such as enabling ECC where supported.

That does not mean ECC fully solves the problem. The GPUBreach team says ECC can help by correcting single-bit errors and detecting double-bit errors, but it is not foolproof against more complex attack patterns that induce more than two flips. The project site also says many desktop and laptop GPUs do not offer ECC at all.

The threat model also matters. This is not a drive-by web exploit. The attack requires code execution with normal GPU compute access, which means the most realistic concerns sit in shared GPU servers, cloud tenants, research clusters, and multi-user AI environments where attackers can run CUDA workloads locally. That last point is an inference based on the attack design and the researchers’ use of unprivileged CUDA execution in their description.

What defenders should do now

• Enable ECC on supported workstation and server GPUs, as NVIDIA recommends in its Rowhammer notice.
• Keep IOMMU and DMA remapping protections enabled. GPUBreach does not make those defenses useless. It shows a bypass path in a specific driver trust boundary.
• Review where untrusted users can run CUDA or other GPU compute workloads, especially in shared servers and cloud environments. This is an inference from the published threat model.
• Watch for updated NVIDIA guidance. The researchers say NVIDIA may revise its July 2025 Rowhammer notice to include these newer impacts.
• Treat GPU memory integrity as part of system security, not just AI reliability, because the attack path now reaches the host kernel.

FAQ