GPUBreach Rowhammer Hijacks GPUs for Full System Root

Researchers from the University of Toronto have demonstrated that Rowhammer attacks on GPUs can move far beyond simple data corruption. The team—led by Chris S. Lin and several colleagues—has uncovered GPUBreach, a potent attack chain that allows an unprivileged CUDA kernel to achieve a full system root shell.

While previous research into GPU-based Rowhammer (such as GPUHammer) focused on untargeted bit flips that degraded the accuracy of Machine Learning models, GPUBreach represents a “real privilege escalation”. The attack overcomes the massive complexity of GPU memory management to turn hardware instability into surgical administrative control.

The core of the exploit lies in the corruption of GPU page tables—the internal maps that define which parts of memory an application is allowed to access. As the researchers explain, “GPUBreach shows that GPU Rowhammer attacks can move beyond data corruption to real privilege escalation. By corrupting GPU page tables, an unprivileged CUDA kernel can gain arbitrary GPU memory read/write…”.

What makes GPUBreach particularly dangerous compared to contemporary works (like GDDRHammer or GeForge) is its ability to bypass modern CPU-side defenses. While other attacks require the IOMMU (Input-Output Memory Management Unit) to be disabled to access arbitrary CPU memory, GPUBreach takes another path.

By gaining arbitrary GPU memory access first, the attackers can then chain that capability to exploit “newly discovered memory-safety bugs in the NVIDIA driver”. This allows them to bypass the IOMMU entirely, resulting in a system-wide compromise.

The research also sheds a sobering light on the effectiveness of Error Correction Code (ECC) memory, a common defense in workstation and server-grade GPUs. While ECC can correct single-bit flips and detect double-bit flips, it is not a “foolproof mitigation”.

The report notes a critical weakness: “…if attack patterns induce more than two bit flips (shown feasible on DDR4 and DDR5 systems), existing ECC cannot correct these and may even cause silent data corruption; so ECC is not a foolproof mitigation against GPUBreach”.

For users on desktop or laptop GPUs where ECC is typically unavailable, the researchers warn that there are currently no known mitigations.

The implications for cloud providers and high-performance computing (HPC) environments are significant, as these sectors rely heavily on multi-tenant GPU isolation. If a user can escape their sandbox and gain root access to the host, the entire “trusted” environment collapses.

To help the security community analyze and defend against this new threat, the University of Toronto team plans to release their reproduction package and scripts. According to the report, “The reproduction package and scripts will be available soon on GitHub: sith-lab/gpubreach, after April 13”.