GPUHammer: First Rowhammer Attack on GDDR6 GPU Memory Induces Bit Flips, Degrades AI Models
Ddos 
For nearly a decade, Rowhammer has haunted DRAM technology, and now it has entered a new field: GPU memory. In a recent security note, NVIDIA confirmed that a proof-of-concept Rowhammer-style attackβdubbed GPUHammerβsuccessfully induced bit flips in GDDR6 memory on an NVIDIA A6000 GPU, marking a pivotal moment in hardware security.
According to the researcher from University of Toronto, βGPUHammer is the first attack to show Rowhammer bit flips on GPU memories, specifically on a GDDR6 memory in an NVIDIA A6000 GPU.β
Originally discovered in 2014, Rowhammer exploits the electrical interference caused by rapidly accessing DRAM rows, allowing attackers to flip bits in adjacent memory. While traditional attacks targeted DDR3 and DDR4 in CPUs, the new research extends the threat to graphics memoryβspecifically GDDR6, the powerhouse behind modern AI and ML workloads.
βOur attacks induce bit flips across all tested DRAM banks… using user-level CUDA code,β notes the research, highlighting a serious concern for multi-tenant GPU environments, such as public cloud services.
The GPUHammer attack goes far beyond proof-of-concept. In one test, researchers degraded the accuracy of a victimβs deep neural network (DNN) model from 80% to 0.1%βwith just a single bit flip.
An unprivileged GPU user could potentially sabotage another userβs machine learning models without direct access.
Historically, Rowhammer-style attacks were thought to be impractical on GPUs for three key reasons:
- Higher latency and faster refresh in GDDR6 makes hammering harder.
- Undocumented address mappings obscure how memory rows are laid out.
- Opaque, in-DRAM mitigations are built into GPU memory.
Despite these obstacles, βGPUHammer overcomes these barriers and launches successful attacks on GDDR6,β the researcher confirmed in its advisory.
Thereβs a way to reduce the riskβSystem-Level Error Correction Codes (SYS-ECC). The bad news? Itβs not without performance cost.
The researcher cautions: βEnabling Error Correction Codes (ECC) can mitigate this risk, but ECC can introduce up to a 10% slowdown for ML inference workloads on an A6000 GPU.β
In environments where data integrity trumps performance, enabling ECC is essential. For users of enterprise-grade NVIDIA hardwareβincluding the Hopper, Ada, Ampere, Volta, and Blackwell linesβECC is supported, and in some products, enabled by default.
To mitigate risk, NVIDIA urges customers to:
- Enable SYS-ECC, especially in multi-tenant or cloud environments.
- Use professional or Data Center-class GPUs, not consumer-grade cards.
- Be mindful of multi-tenant GPU scenarios, as Rowhammer attacks require shared GPU access.
- Leverage On-Die ECC (OD-ECC) features available in newer DRAM generations (e.g., GDDR7, HBM3), which are supported on Blackwell and Hopper platforms.
βNVIDIA GPU and SoC products include memory controllers designed to meet current industry standards… Risk of successful exploitation varies based on DRAM device, platform, design, and system settings,β the note adds.
Related Posts:
- SUDO Affected by Stack/Register Flaw, OpenSSH, OpenSSL, and MySQL are Vulnerable
- New Rowhammer GPU attack can hijack your Android phone remotely
- Google Formally Integrates Kubernetes Engine and GPU Services
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
