A familiar face in the cybersecurity world has returned to the forefront, but this time through the major front door of graphics cards. The vulnerability Rowhammer, until now primarily associated with CPU RAMIt has also proven effective against GDDR6 memory used in various NVIDIA GPUs, opening the door to attacks that can result in total system control.
Several academic teams have presented almost simultaneously. complete attack chains against NVIDIA GPUs with GDDR6with names like GDDRHammer, GeForge, or GPUBreach. Beyond the technicalities, the message for users, businesses, and cloud environments in Europe is clear: certain graphics cards, widely used in home PCs, workstations, and servers, can be the vector that allows an attacker to gain administrator privileges on the operating system.
What is Rowhammer and why is it now targeting GPUs with GDDR6?
Rowhammer is a physical vulnerability that exploits the way DRAM memory cells are manufactured and loadedIf certain rows of memory are accessed very quickly and repeatedly ("hammering"), electrical disturbances are generated that can cause bit changes in adjacent rows, the well-known bit-flips: a 0 becomes a 1 or vice versa without the software having ordered it.
The first academic works, back in the time of DDR3 and later DDR4 memoryThey demonstrated that this technique could be used to break process isolation, manipulate sensitive data, and escalate privileges from an unlicensed user to a system administrator. For years it was thought that implemented mitigations and hardware advancements had contained the problem, but the reality is that the attack surface has expanded.
Recent research shows that The GDDR6 memory in modern GPUs is not safeInstead of attacking the main RAM linked to the CPU, the teams have focused their efforts on the dedicated memory of the graphics card, exploiting very aggressive access patterns and specific techniques to bypass the internal row refresh (TRR) protections present in these chips.
What's new here isn't just that Rowhammer runs on GDDR6, but that Attackers can progress from corrupting GPU memory to directly manipulating host CPU memory., using the card's own memory management logic and the features of the PCIe bus.
GDDRHammer and GeForge research: from bit-flip to taking control of the system
Two research groups, working independently at universities in the United States, have published studies under the names of GDDRHammer and GeForce ForgeBoth share a basic idea: to induce bit-flips in the GPU's GDDR6 memory and turn those physical alterations into a total system compromise.
In their tests, the researchers analyzed at least 25 NVIDIA GPU models with GDDR6This includes consumer and professional graphics cards based on the Ampere and Ada Lovelace architectures. Among the cards where bit-flips and successful exploitation have been observed are the GeForce RTX 3060, as well as the professional RTX 6000 and RTX A6000 series.
The results are striking: the GeForge method managed to induce more than 1.100 bit alterations on an RTX 3060 for consumers and slightly over 200 on a professional RTX A6000. For its part, GDDRHammer achieved averages exceeding one thousand bit-flips per gigabyte of memory, a figure well above previous attempts on graphics hardware.
To achieve this, the teams have had to circumventing TRR mitigations integrated into the GDDR6 memory chips. Non-uniform access patterns have been used across several rows, varying frequency, order, and intensity, so that the hardware does not detect the behavior as suspicious but enough disturbances are generated to force bit changes.
Once the ability to reliably trigger bit-flips was demonstrated, the next step was directing those changes to particularly sensitive memory structuresIn this case, the page tables managed by the GPU's memory unit.
How GPU page tables are manipulated to access CPU RAM
The heart of these attacks lies in the hierarchical page tables that the GPU uses to translate virtual addresses to physical addresses, both in its local memory and in the host system's memory. Typically, these structures are allocated in memory regions that are difficult to predict or difficult for unprivileged code to access.
The GDDRHammer and GeForge exploits use standard memory calls (such as those based on cudaMalloc and Unified Virtual Memory) to perform a genuine "memory massage"Blocks are allocated and released in a highly controlled manner until certain page tables end up in physical positions that the attacker knows are vulnerable to Rowhammer.
Once these regions have been located, the objective is corrupt a specific entry in the page table through a bit-flip. By altering a specific bit of the physical address pointer, the input stops pointing to the legitimate table and starts pointing to a forged table built by the attacker in controlled memory.
From that point on, the GPU believes it is using a valid page table, but in reality all read and write operations Through this route, data is redirected to memory locations chosen by the malicious code. The critical point is that these addresses no longer need to reside in the GPU's memory, but rather in the host system's physical RAM.
In practical demonstrations, the researchers achieved the following with this method arbitrary read and write access over the entire CPU memoryIn one scenario presented, the exploit overwrote part of the code of a system library (e.g., libc functions) directly into the host's RAM, so that when a legitimate program with elevated privileges was executed, the injected code was launched and a superuser console was obtained.
GPUBreach: the third way that combines Rowhammer and driver vulnerabilities
In addition to GDDRHammer and GeForge, researchers have described a third vector called GPUBreachThis is now considered the third confirmed Rowhammer attack against GPUs. In this case, the focus is not limited to memory physics, but also relies on recent vulnerabilities in NVIDIA drivers.
GPUBreach proves it's possible compromise the operating system kernel even when IOMMU is activeThis is especially worrying for servers and workstations that had already adopted this measure as their primary defense. The study focused primarily on the NVIDIA RTX A6000, a high-end GPU widely used in data centers, compute-intensive environments, and artificial intelligence projects.
In this scenario, the attack still begins with corrupt GPU page tables using RowhammerBut then it combines that capability with exploiting driver vulnerabilities to further escalate privileges. In this way, the GPU ceases to be merely a computing accelerator and becomes the springboard from which to take control of the host system.
The combination of physical vulnerability (Rowhammer) and logical errors in the controller software This places GPUBreach in a particularly delicate position, as it limits the effectiveness of barriers that were previously considered reasonably robust in professional environments.
Affected models and vulnerability status in NVIDIA
Studies published to date do not offer an exhaustive list of all affected models, but they have confirmed several specific examples. Among them are: the consumer GeForce RTX 3060 and the professional RTX 6000 and RTX A6000 GPUs, all of them with GDDR6 memory and based on the Ampere architecture.
In broader tests, one of the research groups verified 25 high-end graphics cards with GDDR6The study found that 16 out of 17 RTX A6000 models tested were susceptible to the proposed Rowhammer attacks. Tests were also conducted on models from the Ada family, revealing similar traces of vulnerability, although testing on a wider range of products is ongoing.
On the other hand, research suggests that GDDR6X and GDDR7 memories are not affected by the same methodsat least with current techniques. The same applies to memories like HBM2 or HBM3 that integrate on-chip error correction mechanisms (On-Die ECC), where the same failure patterns have not been observed.
NVIDIA's public communications have been cautious. The company has referred to previously published security documentation This relates to previous Rowhammer attacks on GPUs, such as GPUHammer, and encourages concerned customers to consult mitigation guides. No specific firmware or driver updates have been detailed at this time to completely block these new attack vectors.
It is worth emphasizing, in any case, that There are no known active real-world incidents that are exploiting these methods against NVIDIA GPUs with GDDR6. These are, for now, academic proofs of concept, although their potential impact is serious enough that manufacturers, cloud providers, and large organizations are already taking note.
Antivirus limitations and why the attack is so difficult to detect
One of the most disturbing conclusions of these studies is that, as privileges escalate at the hardware levelTraditional security solutions have very limited visibility. Antivirus programs and many monitoring tools operate primarily in the operating system's space, but the problem here originates earlier, in the GPU's interaction with memory.
When the graphics card gains direct read and write access to the host's physical memory, operations are piped in. through the PCIe bus, bypassing some of the CPU controlsFrom the system's point of view, many of these actions are mistaken for legitimate accelerated computing traffic, so no clear alarms are triggered.
Furthermore, the hammering patterns have been designed to to go unnoticed by the protections of the memory chipsThis makes it difficult for security software to distinguish between normal intensive access (for example, from an AI or rendering application) and an attempted attack.
All this makes the purely software measures Antivirus software, EDR, and other security measures alone may not be enough to stop these types of attacks. The most effective defenses involve hardware configuration changes and, in the medium term, adjustments to the design of GPUs, memory, and controllers.
Mitigations: IOMMU, ECC, and configuration adjustments
The different research teams agree on two major immediate lines of defense for systems using NVIDIA GPUs with GDDR6 memory: Enable IOMMU in the BIOS and enable the error-correcting memory (ECC) on cards that allow it.
The Input/Output Memory Management Unit, IOMMU, allocates virtual addresses visible to devices (like the GPU) to specific physical addresses in the host's memory. This makes it possible to restrict which portions of RAM the card can directly access, reducing the scope of a potential exploit.
In theory, having IOMMU enabled should prevent a GPU-spoofed aperture mapping from freely targeting all of the CPU's memory. However, research indicates that It is not always enabled by default. In many commercial Linux distributions and systems, whether for compatibility or performance reasons, this leaves a considerable number of computers exposed.
The second major defense is the activation of ECC on the GPU. This feature allows... The memory automatically corrects many single-bit errorsThis means that a large portion of the bit-flips caused by Rowhammer are neutralized before they can be exploited. The problem is that ECC comes at a cost: it reduces the available usable memory and can result in a noticeable performance loss, which leads many professional users to keep it disabled.
To make matters worse, some studies suggest that Not all Rowhammer attacks are blocked by ECCCertain patterns could cause multi-bit errors that exceed the correction capacity, or introduce errors that are not detected as correctable, so although ECC significantly raises the bar, it is not a perfect solution.
Impact in Europe: Home PCs, workstations and cloud
In the European context, the scope of these vulnerabilities is especially relevant for three large user groups: individuals with gaming or content creation PCs, companies with graphics workstations, and cloud service providers that share GPUs among multiple clients.
In the home market, many mid-range and high-end systems include graphics cards like the GeForce RTX 3060This is one of the specific models where functional bit-flips and attack chains have been observed in the lab. However, the practical risk is currently considered low: the exploits are complex, require in-depth knowledge of the system, and no active campaigns have been observed applying them on a large scale.
Where the matter becomes more serious is in corporate environments and data centersThe RTX 6000 and RTX A6000 professional GPUs, designed for scientific computing, AI, advanced design or graphics virtualization, are common in European organizations in sectors such as engineering, automotive, banking or public research.
In shared cloud scenarios, a single GPU can serve multiple customers at onceIf one of them were to successfully execute a Rowhammer attack from their container or virtual machine, they could force a privilege escalation affecting the hypervisor or other tenants on the same server, with a potential impact on data confidentiality and availability.
Large cloud providers in Europe typically apply stricter security policies than a home PC: fine-tuned IOMMU configuration, resource segmentation, more aggressive monitoring, and, in many cases, ECC activation by default in their GPUs. Even so, this research serves as a reminder that not even high-end graphics accelerators are without risk.
What can users and organizations do right now?
For those who use NVIDIA GPUs with GDDR6 on a daily basis, whether in Spain or the rest of Europe, there are a number of reasonable steps that can be taken without panicking. The first is check the BIOS settings and the operating system to check if IOMMU is enabled and functioning correctly.
In professional environments and servers, especially when working with workstations with RTX 6000 or RTX A6000It's worth seriously considering enabling ECC, even at the cost of some performance and available memory loss. In many cases, the risk reduction more than compensates for this impact, especially when handling sensitive data or critical workloads.
It is also recommended Keep drivers and firmware updated of graphics cards, and closely monitor the security advisories published by NVIDIA and the critical updates in ChromeAlthough there is currently no miracle patch that completely eliminates the threat, updates are likely to appear that mitigate some vectors (for example, by correcting driver flaws exploited by GPUBreach).
For home users with an RTX 3060 or other Ampere models with GDDR6, the most practical advice is to Do not disable security measures for performance reasons Without a clear reason, avoid installing software of dubious origin that can execute code on the GPU and, in general, treat the graphics card as a component as sensitive as the CPU itself.
In the case of system administrators and security officers, these investigations justify Review GPU resource segmentation policies In virtualized environments, strengthen isolation between tenants and, if possible, limit direct access to low-level GPU APIs to truly necessary processes.
Everything points to the relationship between memory, graphics hardware and cybersecurity This gap will continue to narrow in the coming years. Rowhammer, far from being an academic curiosity of the past, has fully entered the realm of modern GPUs and has demonstrated that it can cross the boundary between graphics memory and host system memory.
Tests from GDDRHammer, GeForge, and GPUBreach show that It is possible to go from a simple bit-flip in GDDR6 to a shell with root privileges in the operating systemeven bypassing some of the current defenses. Although the threat currently remains theoretical and confined to the laboratory, the message for users, businesses, and cloud providers in Europe is clear: it's advisable to adjust configurations, enable available protection measures, and closely monitor how the industry and manufacturers respond to this new generation of Rowhammer attacks on GPUs.
