Researchers at the University of Toronto have recently disclosed a new attack vector known as GPUBreach. This technique leverages Rowhammer bit-flipping vulnerabilities within GPU GDDR6 memory to achieve privilege escalation, ultimately allowing attackers to take complete control of a victim's system.
Attack Mechanism and Impact
The research team demonstrated how Rowhammer-induced bit flips can be used to corrupt GPU page tables (PTEs). This manipulation grants unprivileged CUDA kernels arbitrary read and write access to GPU memory. Attackers can then exploit memory safety vulnerabilities within NVIDIA drivers to escalate these privileges to the CPU level.
Unlike previous methods, GPUBreach remains effective even when IOMMU (Input-Output Memory Management Unit) protections are enabled. While IOMMU is designed to defend against Direct Memory Access (DMA) attacks by restricting device access to specific memory regions, it fails to mitigate this particular threat.
As the research team noted: "GPUBreach demonstrates that GPU Rowhammer attacks have evolved from simple data corruption into a genuine privilege escalation vector. By corrupting GPU page tables, an attacker can gain arbitrary memory read/write access, which, when combined with vulnerabilities in NVIDIA drivers, can lead to a root shell."
The experiments were conducted using the NVIDIA RTX A6000, a GPU widely used in AI development and training. Because the attack works even with IOMMU enabled, it poses a significantly higher threat than the earlier GPUHammer attack.
The researchers reported their findings to NVIDIA, Google, Amazon Web Services (AWS), and Microsoft on November 11, 2025. Google has acknowledged the vulnerability and awarded the researchers a $600 bug bounty. NVIDIA stated that it is currently evaluating its security advisories and may update its defensive recommendations based on previous guidance regarding such attacks.
For consumer-grade GPUs that lack ECC (Error Correction Code) memory, there are currently no effective mitigations. While ECC memory can correct single-bit flips and detect double-bit flips, its reliability is limited when facing multi-bit flip attacks.
The research team plans to formally present their technical findings at the IEEE Symposium on Security and Privacy in Oakland on April 13, at which time they will also release reproduction scripts on GitHub.
