A newly discovered **Rowhammer** attack allows for complete control of machines running **NVIDIA** GPUs. Two independent research teams have demonstrated attacks against **NVIDIA's** Ampere generation cards, exploiting GDDR bitflips to gain control of CPU memory and fully compromise the host system. ### GDDRHammer: Cross-Component Rowhammer Attacks According to a paper titled "GDDRHammer: Greatly Disturbing DRAM Rows—Cross-Component Rowhammer Attacks from Modern GPUs," the attack requires that IOMMU memory management be disabled, which is often the default BIOS setting. "Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well," stated **Andrew Kwong**, co-author of the **GDDRHammer** paper. The research highlights how an attacker can induce bit flips on the GPU to gain arbitrary read/write access to the CPU's memory. ### GeForge: Hammering GDDR Memory for Privilege Escalation A separate paper, "GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit," details a similar attack. Instead of exploiting the last-level page table like **GDDRHammer**, **GeForge** manipulates the last-level page directory. The researchers were able to induce 1,171 bitflips against the **RTX 3060** and 202 bitflips against the **RTX 6000**. **GeForge** uses novel hammering patterns and memory massaging to corrupt GPU page table mappings in GDDR6 memory, granting read and write access to the GPU memory space and, subsequently, the host CPU memory. The proof-of-concept exploit against the **RTX 3060** culminates in opening a root shell window, allowing the attacker to execute commands with unfettered privileges on the host machine. Researchers confirmed that both **GDDRHammer** and **GeForge** could achieve the same results against the **RTC 6000**. ### IOMMU Bypass Further research unveiled a third **Rowhammer** attack that successfully demonstrates attacks on the **RTX A6000**, achieving privilege escalation to a root shell even when IOMMU is enabled, unlike the previous two attacks.