### GPUBreach: A Deep Dive The **GPUBreach** attack goes beyond previous **GPUHammer** research by demonstrating that RowHammer bit-flips in GPU memory can do more than just corrupt data. Researchers have proven it can lead to privilege escalation and even full system compromise. According to Gururaj Saileshwar, Assistant Professor at the **University of Toronto** and one of the study's authors, "By corrupting GPU page tables via GDDR6 bit-flips, an unprivileged process can gain arbitrary GPU memory read/write, and then chain that into full CPU privilege escalation — spawning a root shell — by exploiting memory-safety bugs in the **NVIDIA** driver." What sets GPUBreach apart is its ability to function even with the input–output memory management unit (**IOMMU**) enabled. The IOMMU is a critical hardware component designed to prevent Direct Memory Access (DMA) attacks and isolate peripherals to their own memory space. Saileshwar explains, "GPUBreach shows it is not enough: by corrupting trusted driver state within IOMMU-permitted buffers, we trigger kernel-level out-of-bounds writes — bypassing IOMMU protections entirely without needing it disabled. This has serious implications for cloud AI infrastructure, multi-tenant GPU deployments, and HPC environments." ### Understanding RowHammer RowHammer is a well-known Dynamic Random-Access Memory (DRAM) reliability issue. Repeated accesses to a memory row can cause electrical interference that flips bits in adjacent rows, undermining the isolation guarantees that are fundamental to modern operating systems and sandboxes. DRAM manufacturers have implemented hardware-level mitigations, such as Error-Correcting Code (ECC) and Target Row Refresh (TRR), to combat RowHammer attacks. ### GPUHammer Precedent Research published in July 2025 by the **University of Toronto** extended the RowHammer threat to GPUs with **GPUHammer**. This attack targets **NVIDIA** GPUs using GDDR6 memory and utilizes techniques like multi-threaded parallel hammering to overcome architectural challenges that previously made GPUs immune to bit flips. A successful GPUHammer exploit can lead to a significant drop in machine learning (ML) model accuracy, potentially degrading it by up to 80%. ### GPUBreach's Impact GPUBreach builds on GPUHammer by corrupting GPU page tables with RowHammer to achieve privilege escalation, enabling arbitrary read/write access to GPU memory. More alarmingly, the attack has been shown to leak secret cryptographic keys from **NVIDIA cuPQC**, stage model accuracy degradation attacks, and achieve CPU privilege escalation even with IOMMU enabled. The researchers stated, "The compromised GPU issues DMA (using the aperture bits in PTEs) into a region of CPU memory that the IOMMU permits (the GPU driver's own buffers). By corrupting this trusted driver state, the attack triggers memory-safety bugs in the NVIDIA kernel driver and gains an arbitrary kernel write primitive, which is then used to spawn a root shell." ### GDDRHammer and GeForge: Concurrent Discoveries The disclosure of GPUBreach coincides with two other independent research efforts, **GDDRHammer** and **GeForge**, which also focus on GPU page-table corruption via GDDR6 RowHammer to achieve GPU-side privilege escalation. Like GPUBreach, both techniques can be used to gain arbitrary read/write access to CPU Memory. GPUBreach distinguishes itself by enabling full CPU privilege escalation, making it a more potent attack. GeForge, requires IOMMU to be disabled, while GDDRHammer modifies the GPU page table entry's aperture field to allow the unprivileged CUDA kernel to read and write all of the host CPU's memory. The researchers behind GDDRHammer and GeForge noted, "One main difference is that GDDRHammer exploits the last level page table (PT) and GeForge exploits the last level page directory (PD0). However, both works are able to achieve the same goal of hijacking the GPU page table translation to gain read/write access to the GPU and host memory." ### Mitigation Strategies A temporary mitigation is to enable ECC on the GPU. However, RowHammer attacks like **ECCploit** and **ECC.fail** have demonstrated the ability to bypass this countermeasure. The researchers caution, "However, if attack patterns induce more than two bit flips (shown feasible on DDR4 and DDR5 systems), existing ECC cannot correct these and may even cause silent data corruption; so ECC is not a foolproof mitigation against GPUBreach. On desktop or laptop GPUs, where ECC is currently unavailable, there are no known mitigations to our knowledge."