5 Critical Facts About the New Rowhammer Attacks on NVIDIA GPUs

In early April, cybersecurity researchers dropped a bombshell: new Rowhammer attacks can fully compromise host machines by exploiting vulnerabilities in NVIDIA's Ampere-generation GPUs. Two independent teams demonstrated that GDDR6 memory in cards like the RTX 3060 and RTX 6000 is susceptible to bit flips, granting attackers arbitrary read/write access to CPU memory and ultimately a root shell. A third team later showed a variant that works even with IOMMU enabled. This article breaks down the five most important things you need to know about these groundbreaking attacks.

1. Rowhammer Is No Longer Just a CPU Threat

Rowhammer has been a well-known vulnerability in DRAM modules for years, where repeated row activations cause bit flips in adjacent rows. Now, researchers from the University of Michigan, the University of Texas, and others have demonstrated that the same principle applies to GDDR6 memory on modern GPUs. Their work, presented in papers like GDDRHammer and GeForge, shows that an attacker can induce bit flips on GPU memory to gain control over the host CPU’s memory space. This cross-component attack blurs the line between GPU and system security, meaning your graphics card could be a backdoor to your entire machine.

2. Two Attacks, One Goal: Full System Compromise

The research teams independently developed two attacks—GDDRHammer and GeForge—that achieve the same end: arbitrary read/write access to all CPU memory. GDDRHammer exploits the last-level page table in GPU memory, while GeForge targets the last-level page directory. Both use novel hammering patterns and memory massaging to corrupt GPU page table mappings in GDDR6. Once they have manipulated these mappings, the attacker can escalate privileges on the host machine. In proof-of-concept tests on the RTX 3060 and RTX 6000, GeForge opened a root shell, giving unfettered command execution.

3. IOMMU: The Critical Hurdle and a Surprising Bypass

The Input‑Output Memory Management Unit (IOMMU) is a hardware feature that isolates device memory from CPU memory. For the first two attacks to work, IOMMU must be disabled—which is, alarmingly, the default in many BIOS settings. However, a third attack, revealed on April 3, changed the game. Researchers demonstrated a Rowhammer variant on the RTX A6000 that achieves privilege escalation to a root shell even when IOMMU is enabled. This bypass significantly expands the attack surface and raises the urgency for patches and configuration changes.

4. Specific GPUs Are Affected: Ampere Generation at Risk

The attacks target NVIDIA’s Ampere generation, specifically the RTX 3060, RTX 6000, and RTX A6000. GDDRHammer induced bit flips on the RTX 3060 and RTX 6000, while GeForge reported 1,171 bitflips on the RTX 3060 and 202 on the RTX 6000. The RTX A6000 was used for the IOMMU-bypassing attack. All these cards use GDDR6 memory, which is more dense and susceptible to Rowhammer than older memory types. If you own one of these GPUs, your system is potentially vulnerable.

5. Real‑World Implications and Mitigation Steps

These attacks represent a paradigm shift because they allow a GPU to attack the host CPU, rather than just exploiting GPU memory for graphics data. An attacker could run a malicious shader or kernel on the GPU to trigger bit flips, eventually gaining full control of the machine. Mitigations include enabling IOMMU in BIOS (though the latest attack bypasses it), updating GPU firmware and drivers, and monitoring for unusual GPU memory access patterns. NVIDIA has acknowledged the research but has not yet released a public patch. Until a fix is available, users of Ampere GPUs should consider restricting GPU access for untrusted applications.

Conclusion

The Rowhammer attacks on NVIDIA GPUs are a stark reminder that hardware vulnerabilities can cross component boundaries. With two independent teams demonstrating full system compromise and a third bypassing the primary defense (IOMMU), the threat is real and immediate. Users should stay informed and apply updates as soon as they are available. For now, treat your GPU as a potential entry point for attackers—because it now is.