Modern computing relies heavily on powerful GPUs, often shared across cloud environments and critical AI infrastructure. Yet, a groundbreaking discovery reveals a severe vulnerability: two new Rowhammer attacks, “GDDRHammer” and “GeForge,” can exploit Nvidia GPUs to achieve complete control over the host machine’s CPU memory. This unprecedented leap from minor GPU data degradation to full system compromise demands immediate attention from users and manufacturers alike. These attacks highlight how even sophisticated hardware can be manipulated, posing significant risks to data integrity and system security.
Rowhammer: A Decade of Evolving Memory Threats
The Rowhammer vulnerability isn’t new; it has evolved significantly since its initial discovery. First identified in 2014, researchers found that rapid, repeated access—or “hammering”—to specific rows in DRAM (Dynamic Random-Access Memory) could cause electrical interference. This interference forces adjacent memory bits to “flip,” changing a 0 to a 1 or vice versa. By 2015, attackers demonstrated how to exploit these bit flips for privilege escalation, achieving root access or bypassing security sandboxes on DDR3 DRAM.
Over the past decade, Rowhammer attacks have become increasingly sophisticated. They now target a broader range of DRAM types, including DDR3 with Error Correcting Code (ECC) and DDR4 with Target Row Refresh (TRR) protections, previously thought to be immune. New techniques like “Rowhammer feng shui” and “RowPress” precisely target tiny, sensitive memory regions. These advancements have enabled attacks to function over local networks, root Android devices, and even steal 2048-bit encryption keys. The “Securing DRAM Against Evolving Rowhammer Threats” research emphasizes that reduced cell spacing in modern DRAM, due to process node advancements, has made memory chips even more susceptible, lowering the “hammer count” required for a successful attack. Despite previous work against GDDR DRAM on Nvidia GPUs showing susceptibility, results were limited to a handful of bit flips, only degrading neural network output.
GPU-to-CPU PWNAGE: A Game-Changer in Attack Severity
The landscape of Rowhammer threats dramatically shifted recently. Two independent research teams demonstrated attacks against Nvidia’s Ampere generation GPUs (RTX 6000 and RTX 3060) that push Rowhammer into a far more dangerous territory. These new exploits achieve GDDR bit flips that grant attackers full control over the CPU’s memory, leading to a complete system compromise. A critical precondition for these attacks is that the Input-Output Memory Management Unit (IOMMU) must be disabled. This is often the default setting in BIOS for enhanced compatibility and performance, inadvertently leaving systems exposed.
Andrew Kwong, co-author of the “GDDRHammer” paper, confirmed, “Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well.” He stressed that current CPU-focused Rowhammer mitigations are “insufficient” because attackers can bypass them by instead targeting GPU memory to compromise the CPU. This revelation fundamentally changes how we must approach Rowhammer defenses, requiring a holistic view that encompasses both CPU and GPU memory. Nvidia themselves have acknowledged the threat, issuing advisories urging customers to implement mitigations against Rowhammer attacks on their GPUs.
GDDRHammer: Exploiting Ampere’s Memory Allocator
One of the groundbreaking attacks, GDDRHammer, targets Nvidia’s RTX 6000 from the Ampere generation. It employs novel hammering patterns and a technique called “memory massaging.” This approach drastically amplified the attack’s effectiveness, inducing an average of 129 bit flips per memory bank. This represents a staggering 64-fold increase compared to previous GPUHammer attempts.
More critically, GDDRHammer’s innovation lies in its ability to manipulate the memory allocator. This breaks the isolation of GPU page tables – crucial data structures that map virtual addresses to physical DRAM locations – and user data stored on the GPU. By gaining this manipulation capability, the attacker acquires arbitrary read and write access to the GPU’s memory. From there, the attack extends to the host CPU’s memory, enabling a full system compromise. The researchers did note that this specific attack doesn’t affect RTX 6000 models from the newer Ada generation, as they utilize a different GDDR variant the team didn’t reverse-engineer.
GeForge: Forging Page Tables for Privilege Escalation
The second independent research, detailed in the paper “GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit,” achieves similar, equally severe outcomes. While GDDRHammer exploits the last-level page table, GeForge manipulates the last-level page directory. This slightly different approach yielded even higher bit flip counts: 1,171 against the RTX 3060 and 202 against the RTX 6000.
Like GDDRHammer, GeForge uses novel hammering patterns and memory massaging to corrupt GPU page table mappings in GDDR6 memory. This grants it read and write access to the GPU memory space. Subsequently, it can acquire the same privileges over the host CPU memory. The GeForge proof-of-concept exploit against the RTX 3060 successfully demonstrated its power by opening a root shell window. This allowed the attacker to issue commands with unfettered privileges on the host machine, proving user-to-root escalation. Zhenkai Zhang, co-author of the GeForge paper, highlighted that this represents the “first GPU-side Rowhammer exploit that achieves host privilege escalation.”
Memory Massaging: A Clever Workaround
Both GDDRHammer and GeForge rely on a sophisticated technique called “memory massaging” to bypass existing protections. Nvidia’s GPU driver typically stores page tables in a reserved, low-level memory region designed to be immune to Rowhammer attacks. Memory massaging cleverly circumvents this by “steering” these critical tables into unprotected memory areas.
For GDDRHammer, this massaging involves flipping bits that control access to the protected region. As Kwong explains, by modifying page table entries, “the attacker can give himself arbitrary access to all of the GPU’s memory.” More alarmingly, attackers can “modify the page table on the GPU to point to memory on the CPU, thereby giving the attacker the ability to read/write all of the CPU’s memory as well.” GeForge’s method is equally intricate: it isolates a 2MB page frame and uses sparse Unified Virtual Memory (UVM) accesses to drain the driver’s default low-memory allocation pool. By freeing the isolated frame at the precise moment, it becomes the new allocation region for the driver’s page tables. This allows a vulnerable page directory entry to be targeted, and a bit flip redirects its pointer to attacker-controlled memory, loaded with forged page tables.
Broader Implications and Related Threats
The discovery of GDDRHammer and GeForge underscores a growing trend of hardware-level vulnerabilities impacting complex computing systems. This extends beyond individual machines to critical infrastructure. For instance, the “Nvidia Patches Critical Triton Server Bugs” article detailed how critical vulnerabilities in Nvidia’s open-source Triton Inference Server, an AI inference platform, could allow remote code execution, highlighting the increasing importance of securing AI model-serving environments. Similarly, the “PerfektBlue Bluetooth Attacks” showcased how even automotive systems can be compromised through their entertainment systems via Bluetooth vulnerabilities, leading to potential vehicle tracking or engine control.
While concerning, it’s worth noting the distinction with earlier Rowhammer variants like the “RAMpage exploit on Android.” Although theoretically affecting millions of Android devices since 2012, the practical risk to users remains low due to the extreme difficulty of inducing a specific bit flip for targeted outcomes, combined with Android’s memory randomization protections. Nonetheless, these diverse examples emphasize the need for robust, multi-layered security across all silicon-based systems.
Safeguarding Your Systems: Immediate Mitigations
Nvidia has responded to these Rowhammer threats by referring users to existing guidance. The research teams, however, recommend two primary mitigations for the confirmed vulnerable RTX 3060 and RTX 6000 Ampere generation cards:
Enable IOMMU (Input-Output Memory Management Unit): Enabling IOMMU restricts the GPU from accessing sensitive memory locations on the host CPU. This acts as a crucial barrier. However, IOMMU is often disabled by default in BIOS to maximize compatibility and comes with a performance penalty due to address translation overhead. For specific instructions on enabling IOMMU, consult your motherboard or system manufacturer’s documentation.
Enable ECC (Error Correcting Codes) on the GPU: Nvidia allows ECC to be enabled via a command line. ECC can detect and correct single-bit errors, making random bit flips less impactful. Like IOMMU, enabling ECC incurs some performance overhead as it reduces the overall amount of available workable memory. Moreover, the “Securing DRAM Against Evolving Rowhammer Threats” article cautions that some advanced Rowhammer attacks can potentially overcome ECC mitigations. Nvidia has clarified that ECC is enabled by default in its Hopper and Blackwell Data Center products, and is available in many other products including Ampere.
It’s crucial to remember that currently, only the RTX 3060 and RTX 6000 cards from the Ampere generation (introduced in 2020) are explicitly known to be vulnerable to these specific attacks. While newer generations of GPUs might be susceptible, academic research often lags behind product rollouts. Top-tier cloud platforms typically provide security levels that exceed those found on default consumer machines. Importantly, there are no known instances of Rowhammer attacks, including these new GPU variants, being actively used “in the wild.”
Beyond these specific mitigations, a comprehensive, multi-layered security approach is essential. Experts advocate for encryption and obfuscation of data, robust data isolation and access controls, and leveraging advanced architectural defenses like Arm’s Memory Tagging Extension (MTE) and Confidential Compute Architecture (CCA). Technologies like Rambus’ RAMPART for server memory systems also demonstrate promising solutions for containing bit flips. Users should prioritize keeping all drivers and system firmware updated and exercising caution when installing applications, particularly from untrusted sources.
Frequently Asked Questions
What are GDDRHammer and GeForge, and how do they compromise Nvidia GPUs?
GDDRHammer and GeForge are two new Rowhammer attacks targeting Nvidia’s Ampere generation GPUs (RTX 6000 and RTX 3060). They exploit memory hardware’s susceptibility to “bit flips” (0s switching to 1s and vice versa) by repeatedly “hammering” GDDR memory. Their innovation lies in using “memory massaging” to steer critical page tables into unprotected memory regions. This allows them to manipulate GPU page tables, gain read/write access to GPU memory, and then extend that access to the host CPU’s memory, leading to a full system compromise and root-level control.
Which Nvidia GPUs are currently known to be vulnerable to these new Rowhammer attacks, and what are the immediate steps users can take?
Currently, only the RTX 3060 and RTX 6000 cards from Nvidia’s Ampere generation (introduced in 2020) are confirmed vulnerable to GDDRHammer and GeForge. Immediate steps include enabling IOMMU (Input-Output Memory Management Unit) in your BIOS settings, which restricts GPU access to sensitive host memory. Additionally, you can enable Error Correcting Codes (ECC) on your GPU using Nvidia’s command-line tools. Both mitigations may incur a slight performance penalty but significantly enhance security.
Should I be concerned about Rowhammer if my Nvidia GPU is not an Ampere generation card, and what broader security advice applies?
While GDDRHammer and GeForge specifically target Ampere generation cards, the underlying Rowhammer vulnerability is a widespread hardware issue. Though there are no known “in the wild” exploits, the research indicates the potential for future attacks on other GPU generations. Users should prioritize a multi-layered security strategy: keep drivers and system firmware updated, only install software from trusted sources, and stay informed about the latest cybersecurity advisories. The primary concern is protecting against escalating hardware vulnerabilities that could bypass software-level protections.
Conclusion
The emergence of GDDRHammer and GeForge marks a critical juncture in hardware security. These sophisticated Rowhammer attacks demonstrate that high-performance Nvidia GPUs are not only susceptible to memory manipulation but can be exploited to gain complete control over entire host systems. This escalation necessitates a paradigm shift in how we approach cybersecurity, demanding robust, multi-level defenses that consider both CPU and GPU memory. While immediate mitigations like enabling IOMMU and ECC are crucial for affected Ampere card users, the broader message is clear: continuous vigilance, system updates, and a proactive security posture are more vital than ever in safeguarding our increasingly complex digital infrastructure.
References
- arstechnica.com
- <a href="https://www.theregister.com/2025/07/13/infosecinbrief/”>www.theregister.com
- www.csoonline.com
- semiengineering.com
- www.androidcentral.com
