Your GPU's Memory Can Be Weaponized: How Rowhammer Broke Into Nvidia's Graphics Cards

Three research teams have independently proven that Rowhammer — a class of hardware attack that exploits the physical properties of dynamic RAM to corrupt data — works against modern Nvidia GPUs. The implications stretch from gaming rigs to cloud AI infrastructure, raising questions about whether the billions of GDDR6-equipped graphics cards in circulation carry an unpatched vulnerability at the silicon level.

What Is Rowhammer, and Why Does It Matter for GPUs?

Rowhammer is not a software bug. It is an electrical side effect of how DRAM stores data. Memory cells are arranged in rows, and when a program repeatedly reads from one row (the "aggressor"), the resulting electrical interference can flip bits in adjacent rows (the "victims") — changing a 0 to a 1 or vice versa without any direct write operation [1]. First documented against CPU memory in 2014, the technique has been progressively refined over a decade of academic research. Over 1,200 papers have been published on the topic since 2015, with annual output peaking at 198 publications in 2023 [2].

Source: OpenAlex

Data as of Jan 1, 2026CSV

Until mid-2025, GPU memory was considered largely immune. GPU memory operates with roughly 4–5x higher latency than CPU DRAM (~300ns vs ~60ns), and GDDR6 refresh intervals (32ms or less) are shorter than CPU DRAM's 32–64ms windows, leaving less time for hammering to accumulate electrical interference [3]. Those properties made the attack seem impractical — until researchers at the University of Toronto proved otherwise.

Three Attacks, Three Teams, One Vulnerability Class

The research arrived in two waves. First came GPUHammer, presented at USENIX Security 2025 in Seattle by Chris S. Lin, Joyce Qu, and Gururaj Saileshwar of the University of Toronto [1]. GPUHammer demonstrated the first confirmed Rowhammer bit flips on a discrete GPU — an Nvidia RTX A6000 with GDDR6 memory — injecting up to 8 bit flips across 4 DRAM banks [3]. The paper won the CSAW'25 Best Paper Award for Technical Impact [4].

Then in early 2026, two more teams published follow-up work that significantly escalated the threat:

GDDRHammer ("Greatly Disturbing DRAM Rows"), from researchers at UNC Chapel Hill, Georgia Tech, and Mohamed bin Zayed University of AI, characterized 25 GDDR6 GPUs including Ampere and Ada-generation professional cards. Their techniques for bypassing in-device Rowhammer mitigations through GPU-parallel double-sided hammering produced on average ~64x more bit flips than GPUHammer had achieved, averaging 129 flips per memory bank [5][6].

GeForge ("Hammering GDDR Memory to Forge GPU Page Tables"), from researchers at Purdue, Clemson, the University of Rochester, the University of Western Australia, and HydroX AI, achieved the highest bit flip counts yet: 1,171 on an RTX 3060 and 202 on an RTX A6000 [5][7]. Both GDDRHammer and GeForge are scheduled for presentation at the 47th IEEE Symposium on Security and Privacy in May 2026 [5].

Source: USENIX Security 2025 / IEEE S&P 2026

Data as of Apr 4, 2026CSV

From Bit Flips to Full System Compromise

The bit flips themselves are just the first step. What makes the 2026 research alarming is the demonstrated escalation path from flipped bits to arbitrary system access.

GDDRHammer exploits the default CUDA memory allocator (cudaMalloc) to corrupt GPU page table entries, which map virtual memory addresses to physical memory locations. Once those entries are corrupted, an attacker running code on the GPU gains read/write access to all CPU memory — not just GPU VRAM [5][6].

GeForge takes a different approach, targeting GPU page directory structures rather than individual page table entries. The researchers developed a "memory-massaging" strategy that steers GPU page tables toward memory locations with known vulnerable bits, combined with a "page-anchoring" technique that locates GPU physical addresses at runtime. The result is the same: arbitrary read/write access to host memory, yielding root-level access on Linux systems when IOMMU is disabled [5][7].

A third attack, GPUBreach, demonstrated that these same bit flips can break confidentiality as well as integrity — leaking data from co-located processes on the same GPU [5].

Which GPUs Are Affected?

The vulnerability is tied to GDDR6 memory, not to Nvidia's GPU architecture specifically. Of the 25 GDDR6 GPUs tested by the GDDRHammer team, most were found vulnerable [5]. This encompasses a wide range of Nvidia products: the GeForce RTX 30-series and RTX 40-series consumer cards, the RTX A-series and RTX Pro workstation cards, and data center accelerators like the A40, A30, A16, and A10 [8].

Nvidia's July 2025 security notice covered an extensive product list spanning Blackwell, Ada, Hopper, Ampere, Turing, Volta, and Jetson product families [8]. However, the actual demonstrated vulnerability applies only to cards with GDDR6 memory. Cards with GDDR6X — including the RTX 4090, RTX 4080, and the Ada RTX 6000 — showed no bit flips in testing. The GDDRHammer researchers explicitly noted that "GDDR6X uses stronger mitigation than GDDR6" [5]. GPUs with GDDR7, including the GeForce RTX 50-series, implement on-die ECC that provides indirect protection [8]. And data center GPUs built on HBM2e or HBM3 memory — the A100, H100, H200, and B200 — have system-level ECC enabled by default on Hopper and Blackwell generations [8].

Nvidia controls approximately 92% of the discrete GPU market and over 97% of the data center GPU accelerator market [9]. The total installed base of GPUs globally approaches 3 billion units [9], though the fraction running GDDR6 specifically — versus integrated graphics, older GDDR5, or newer GDDR6X/HBM — is not precisely quantified in public data.

This Is Not Just an Nvidia Problem

AMD published its own security bulletin (AMD-SB-7049) acknowledging the GPUHammer findings and listing affected products: the entire Radeon consumer lineup, Radeon AI PRO 9000 series, Radeon PRO VII, and Radeon PRO W5000 through W7000 workstation series — all of which use GDDR6 [10]. AMD classified the bulletin as "informational" with no severity rating, and pointed to its Graphics ECC feature as a mitigation [10].

The framing of this as an "Nvidia problem" reflects the research teams' focus on Nvidia hardware (driven largely by CUDA's dominance in GPU computing) rather than a fundamental architectural difference between vendors. Any discrete GPU using GDDR6 DRAM is theoretically susceptible to the same class of attack. Intel's Arc GPUs, which also use GDDR6, have not been publicly tested, but there is no known architectural reason they would be immune [5].

Separate research from ETH Zurich found that all 6 tested HBM2 chips were vulnerable to Rowhammer in controlled settings, with up to 79% variation in bit error rates across memory channels — though HBM's on-die ECC provides a layer of protection that GDDR6 lacks [3].

The AI Model Integrity Problem

The GPUHammer team tested the attack's impact on five pretrained ImageNet classification models running on an RTX A6000: AlexNet, VGG16, ResNet50, DenseNet161, and InceptionV3. Each experienced accuracy drops between 56 and 80 percentage points from targeted bit flips, with the worst case showing a collapse from approximately 80% accuracy to 0.1% [11][1].

This builds on theoretical work from a 2019 paper called "Terminal Brain Damage" that predicted bit flips in the exponent portion of neural network weights could destroy model accuracy [11]. GPUHammer proved the prediction holds with real hardware attacks.

The AI safety implications are twofold. First, the attack requires only user-level CUDA privileges — no root access, no physical access to the machine [11]. In a multi-tenant cloud environment where multiple customers share physical GPU resources, an attacker's workload could run alongside a victim's model inference job. Second, the corruption is silent. The model continues to produce outputs; they are simply wrong. Standard ML observability tools cannot distinguish between accuracy degradation caused by data drift, model staleness, or a hardware-level attack [11].

Whether a subtly biased output — as opposed to a catastrophically wrong one — can be reliably induced through targeted bit flips remains an open question. The demonstrated attacks produced dramatic accuracy collapses rather than fine-grained steering of model behavior. Crafting a bit flip that produces a specific, subtle bias would require detailed knowledge of the target model's weight layout in memory, which is a substantially harder problem [11].

Cloud Exposure and Multi-Tenant Risk

The multi-tenant cloud scenario is where GPU Rowhammer poses the most concrete threat. Major cloud providers — AWS, Google Cloud, Azure, CoreWeave, Lambda Labs — all offer GPU instances where customers run workloads on shared physical infrastructure [12].

The degree of actual exposure depends on isolation architecture. Most hyperscale providers assign entire physical GPUs to individual tenants rather than sharing a single GPU across multiple customers. However, Nvidia's Multi-Instance GPU (MIG) technology on A100 and H100 cards does partition a single GPU for multi-tenant use — and those cards use HBM, not GDDR6, making them less susceptible [8].

The more realistic cloud attack vector involves GDDR6-equipped professional GPUs (A40, A30, A16, A10) deployed in inference and rendering workloads where providers may offer less isolation than they do for flagship HBM-based training clusters. Over one-third of cloud GPU environments were found running vulnerable Nvidia Container Toolkit software (GPU Operator ≤ v24.6.1) in a separate security audit [12].

No major cloud provider has issued a specific advisory in response to the GPUHammer, GDDRHammer, or GeForge research as of April 2026. Microsoft Azure offers confidential VMs with H100 GPUs in preview, which provide hardware-level memory encryption [12]. The most advanced GPU cloud operators — CoreWeave, Oracle Cloud, AWS, GCP, and Azure — implement tenant isolation using Data Processing Units (DPUs), which adds a hardware-level network and memory isolation layer [12].

Nvidia's Response and the Cost of Mitigation

Nvidia published its security notice on July 9, 2025, following the GPUHammer disclosure [8]. The notice did not assign a CVE number. The primary recommendation was to enable system-level ECC via the command nvidia-smi -e 1 followed by a reboot [8].

The problem is that ECC is not free. Enabling it on supported GPUs reduces total VRAM capacity by 6.5%, cuts memory bandwidth by up to 12%, and slows ML workloads by 3–10% [13]. For consumer GPUs — the RTX 3060, RTX 3070, RTX 4060 — system-level ECC is not available at all [8].

Source: NVIDIA / Bleeping Computer

Data as of Jul 9, 2025CSV

Nvidia also recommends enabling IOMMU (Input/Output Memory Management Unit) through the system BIOS, which restricts how the GPU can access host CPU memory and blocks the escalation path from GPU-side bit flips to full system compromise [5][8]. IOMMU is a system-level setting that does not require GPU hardware changes, but it is not enabled by default on most consumer and workstation configurations.

For its newest hardware, Nvidia points to built-in protections: Hopper and Blackwell data center GPUs (H100, H200, B200, GB200) have ECC enabled by default, and GDDR7-equipped RTX 50-series consumer cards implement on-die ECC [8]. The gap is the current generation of GDDR6 consumer and mid-range professional cards, which have no hardware-level fix available.

How Difficult Is Real-World Exploitation?

The steelman case that the threat is overstated has several components.

First, the attacks demonstrated in the research papers require the attacker to run code directly on the target GPU. This is possible in multi-tenant cloud environments and in scenarios involving malicious CUDA applications, but it is not a remote attack — an adversary cannot Rowhammer a GPU over a network [1][5].

Second, the bit flip rates, while dramatically improved in the 2026 papers, are still stochastic. The attacker cannot choose exactly which bit to flip; they can influence the probability through careful memory layout manipulation, but the outcome involves some randomness [5]. This makes precision attacks — such as flipping a specific bit in a specific model weight to induce a targeted bias — substantially harder than the demonstrated proof-of-concept attacks.

Third, the escalation to full host memory access requires IOMMU to be disabled. On properly configured cloud and enterprise systems, IOMMU should be enabled, which blocks the most severe attack path [5][8].

Fourth, the GDDRHammer team noted that prior academic work (ECCploit, ECC.fail) has found ways to bypass ECC protections in CPU DRAM contexts [6], but no such bypass has been demonstrated for GPU ECC implementations specifically. The effectiveness of ECC as a mitigation for GPU Rowhammer has not yet been defeated in published research.

Against these caveats, the counterargument is that defenses are opt-in and not universally deployed. ECC is off by default on many professional GPUs, IOMMU is commonly disabled in consumer and some enterprise configurations, and cloud operators vary widely in their isolation practices. The research demonstrated a practical attack path, not a theoretical one, and follow-up work within less than a year escalated it by orders of magnitude [5].

There is no public evidence that GPU Rowhammer has been exploited outside of controlled laboratory conditions. The attack class remains, as of April 2026, a demonstrated research capability rather than a documented threat in the wild.

What Comes Next

The rapid escalation from 8 bit flips (GPUHammer, mid-2025) to over 1,100 (GeForge, early 2026) shows an active research area with techniques improving quickly. GDDR6 memory will remain in circulation for years across millions of GPUs that cannot be patched at the hardware level. The mitigations — ECC, IOMMU, memory isolation — exist but carry performance costs and configuration burdens that many deployments will not adopt voluntarily.

For data center operators running AI inference on GDDR6-equipped GPUs, the research creates a concrete action item: enable ECC, enable IOMMU, and audit tenant isolation practices. For consumer users, the practical risk remains low — the attack requires local GPU code execution, which most threat models already address through standard software security. For the broader hardware security community, the lesson is that DRAM-level vulnerabilities do not respect the boundary between CPUs and GPUs, and that memory technologies designed without Rowhammer in mind will eventually be tested by researchers who find a way through.