For nearly a decade, Rowhammer has haunted DRAM technology, and now it has entered a new field: GPU memory. In a recent security note, NVIDIA confirmed that a proof-of-concept Rowhammer-style attack—dubbed GPUHammer—successfully induced bit flips in GDDR6 memory on an NVIDIA A6000 GPU, marking a pivotal moment in hardware security.
According to the researcher from University of Toronto, “GPUHammer is the first attack to show Rowhammer bit flips on GPU memories, specifically on a GDDR6 memory in an NVIDIA A6000 GPU.”
Originally discovered in 2014, Rowhammer exploits the electrical interference caused by rapidly accessing DRAM rows, allowing attackers to flip bits in adjacent memory. While traditional attacks targeted DDR3 and DDR4 in CPUs, the new research extends the threat to graphics memory—specifically GDDR6, the powerhouse behind modern AI and ML workloads.
“Our attacks induce bit flips across all tested DRAM banks… using user-level CUDA code,” notes the research, highlighting a serious concern for multi-tenant GPU environments, such as public cloud services.
The GPUHammer attack goes far beyond proof-of-concept. In one test, researchers degraded the accuracy of a victim’s deep neural network (DNN) model from 80% to 0.1%—with just a single bit flip.
An unprivileged GPU user could potentially sabotage another user’s machine learning models without direct access.
Historically, Rowhammer-style attacks were thought to be impractical on GPUs for three key reasons:
- Higher latency and faster refresh in GDDR6 makes hammering harder.
- Undocumented address mappings obscure how memory rows are laid out.
- Opaque, in-DRAM mitigations are built into GPU memory.
Despite these obstacles, “GPUHammer overcomes these barriers and launches successful attacks on GDDR6,” the researcher confirmed in its advisory.
There’s a way to reduce the risk—System-Level Error Correction Codes (SYS-ECC). The bad news? It’s not without performance cost.
The researcher cautions: “Enabling Error Correction Codes (ECC) can mitigate this risk, but ECC can introduce up to a 10% slowdown for ML inference workloads on an A6000 GPU.”
In environments where data integrity trumps performance, enabling ECC is essential. For users of enterprise-grade NVIDIA hardware—including the Hopper, Ada, Ampere, Volta, and Blackwell lines—ECC is supported, and in some products, enabled by default.
To mitigate risk, NVIDIA urges customers to:
- Enable SYS-ECC, especially in multi-tenant or cloud environments.
- Use professional or Data Center-class GPUs, not consumer-grade cards.
- Be mindful of multi-tenant GPU scenarios, as Rowhammer attacks require shared GPU access.
- Leverage On-Die ECC (OD-ECC) features available in newer DRAM generations (e.g., GDDR7, HBM3), which are supported on Blackwell and Hopper platforms.
“NVIDIA GPU and SoC products include memory controllers designed to meet current industry standards… Risk of successful exploitation varies based on DRAM device, platform, design, and system settings,” the note adds.
Related Posts:
- SUDO Affected by Stack/Register Flaw, OpenSSH, OpenSSL, and MySQL are Vulnerable
- New Rowhammer GPU attack can hijack your Android phone remotely
- Google Formally Integrates Kubernetes Engine and GPU Services
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.