Threat Intelligence Report: GPUHammer and GPUBreach, Rowhammer Comes to the GPU

CISO Executive Summary #

Overview #

GPUHammer is the first demonstrated Rowhammer attack against discrete NVIDIA GPU memory. Presented at USENIX Security 2025 by researchers at the University of Toronto and responsibly disclosed to NVIDIA in January 2025, it induces electrical bit flips in GDDR6 memory to corrupt data without ever accessing it directly. NVIDIA published a Rowhammer security notice in July 2025. The attack drew renewed attention in 2026 alongside GPUBreach, a follow-on technique that escalates GPU Rowhammer from data corruption to root-level system compromise.

Impact #

GPUHammer’s headline result is an integrity attack on AI itself: a single targeted bit flip degraded an ImageNet deep neural network’s accuracy from roughly 80% to 0.1%, effectively destroying the model while it appeared to run normally. For organizations relying on shared or cloud GPUs, this is a stealthy way to sabotage model behavior. GPUBreach raises the stakes further by using GPU bit flips to hijack page tables and gain read/write access to system memory, turning a hardware fault into a path to full compromise.

Mitigation #

1. Enable ECC: System-level ECC mitigates Rowhammer; NVIDIA’s guidance is to enable it on affected GPUs, accepting the performance and capacity trade-off.
2. Prefer memory with on-die ECC: Newer accelerators such as H100 (HBM3) and RTX 5090 (GDDR7) include on-die ECC that masks single-bit flips.
3. Avoid untrusted GPU co-tenancy: Do not share a physical GPU between trust domains for sensitive workloads; require hardware isolation.
4. Validate model integrity: Monitor production model accuracy and outputs so silent degradation is detected, not assumed away.

Engineering Breakdown #

Vulnerability Details #

• Name: GPUHammer (USENIX Security 2025); GPUBreach (2026 escalation)
• Class: Rowhammer / hardware fault injection on GPU DRAM
• Disclosed to NVIDIA: 15 January 2025; NVIDIA security notice July 2025
• Demonstrated on: NVIDIA A6000 (GDDR6); bit flips also shown on RTX 3060
• Primary mitigation: System-level ECC; on-die ECC on HBM3/GDDR7

Description #

Rowhammer exploits the physics of dense DRAM: rapidly and repeatedly accessing one memory row can disturb the charge in adjacent rows and flip bits. The technique was previously thought impractical on GPUs due to higher memory latency and proprietary addressing. GPUHammer overcame those obstacles, inducing up to 1,171 bit flips on tested hardware and proving the attack is practical on GDDR6 GPUs.

Technical Analysis #

Per the GPUHammer paper and USENIX presentation, the researchers reverse-engineered GPU DRAM addressing and access patterns to reliably hammer aggressor rows and flip bits in a victim’s data. Applied to machine learning, a precisely placed flip in a model’s most significant exponent bits collapses accuracy while leaving the system outwardly healthy. As SecurityWeek reported, the GPUBreach evolution chains GPU bit flips into page-table manipulation to obtain a root shell, demonstrating that GPU memory faults are not merely an availability or integrity nuisance but a confidentiality and control risk.

Why It Matters #

GPUHammer breaks a comfortable assumption that hardware fault attacks are a CPU-era concern. As GPUs become the substrate for an organization’s most valuable models, the integrity of GPU memory becomes a security property, not just a reliability one. The defense is unglamorous but effective: enable ECC, prefer hardware with on-die ECC, and refuse to share physical GPUs across trust boundaries for sensitive work.

Sources #

• GPUHammer paper — arXiv
• USENIX Security 2025 presentation
• NVIDIA Rowhammer security notice (July 2025)
• SecurityWeek: GPUBreach root shell via GPU Rowhammer

Stay Vigilant