![\"New](\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/04\/06\/GPU.jpg\")
<\/p>\n<\/p>\n
A new attack, dubbed GPUBreach, can induce Rowhammer bit-flips on GPU GDDR6 memories to escalate privileges and lead to a full system compromise.<\/p>\n
GPUBreach was developed by a team of researchers at the University of Toronto, and full details will be presented at the upcoming IEEE Symposium on Security & Privacy on April 13 in Oakland.<\/p>\n
The researchers demonstrated that Rowhammer-induced bit flips in GDDR6 can corrupt GPU page tables (PTEs) and grant arbitrary GPU memory read\/write access to an unprivileged CUDA kernel.<\/p>\n
![\"New](\"https:\/\/www.bleepstatic.com\/c\/a\/as-Free-Phishing-970x250.jpg\")
<\/a> <\/div>\nAn attacker may then chain this into a CPU-side escalation by exploiting memory-safety bugs in the NVIDIA driver, potentially leading to complete system compromise without the need to disable Input-Output Memory Management Unit (IOMMU) protection.<\/p>\n
![\"New](\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/April\/steps.jpg\")
IOMMU is a hardware unit that protects against direct memory attacks. It controls and restricts how devices access memory by managing which memory regions are accessible to each device.<\/p>\n
Despite being an effective measure against most direct memory access (DMA) attacks, IOMMU does not stop GPUBreach.<\/p>\n
“GPUBreach shows that GPU Rowhammer attacks can move beyond data corruption to real privilege escalation,” the researchers explain<\/a>.<\/p>\n “By corrupting GPU page tables, an unprivileged CUDA kernel can gain arbitrary GPU memory read\/write, and then chain that capability into CPU-side escalation by exploiting newly discovered memory-safety bugs in the NVIDIA driver.”<\/p>\n “The result is system-wide compromise up to a root shell, without disabling IOMMU, unlike contemporary works, making GPUBreach a more potent threat.”<\/p>\n The same researchers previously demonstrated GPUHammer<\/a>, the first attack showing that Rowhammer attacks on GPUs are practical, prompting NVIDIA to issue a warning to users and suggesting the activation of the System Level Error-Correcting Code mitigation to block such attempts on GDDR6 memory.<\/p>\n However, GPUBreach is taking the threat to the next level, showing that it is possible not only to corrupt data but also to gain root privileges with IOMMU enabled.<\/p>\n The researchers exemplified the results with an NVIDIA RTX A6000 GPU with GDDR6. This model is widely used in AI development and training workloads.<\/p>\n The University of Toronto researchers reported their findings to NVIDIA, Google, AWS, and Microsoft on November 11, 2025.<\/p>\n Google acknowledged the report and awarded the researchers a $600 bug bounty.<\/p>\n NVIDIA stated that it may update its existing security notice from July 2025<\/a> to include the newly discovered attack possibilities.<\/p>\n As demonstrated by the researchers, IOMMU alone is insufficient if GPU-controlled memory can corrupt trusted driver state, so users at risk should rely solely on that security measure.<\/p>\n Error Correcting Code (ECC) memory helps correct single-bit flips and detect double-bit flips, but it is not reliable against multi-bit flips.<\/p>\n Ultimately, the researchers underlined that GPUBreach is completely unmitigated for consumer GPUs without ECC.<\/p>\n The researchers will publish the full details of their work, including a technical paper<\/a> and a GitHub repository<\/a> with the reproduction package and scripts, on April 13.<\/p>\n\n![\"New](\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/April\/overview.jpg\")
Source: University of Toronto<\/em><\/figcaption><\/figure>\n<\/div>\n\n![\"New](\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/April\/compare.jpg\")
Source: University of Toronto<\/em><\/figcaption><\/figure>\n<\/div>\nDisclosure and mitigations<\/h3>\n