GPU Memory Exploits

The GDDRHammer and GeForge teams independently developed exploits that utilize Rowhammer bit flips on Graphics Processing Units (GPUs) to enable a full takeover of Central Processing Unit (CPU) memory from an unprivileged GPU kernel, enabling an attacker to read and write all of the CPU's memory. In addition, we developed novel Rowhammer techniques for GPUs that result in a dramatic increase in the number of bit flips found on GDDR6 memory.

These attacks rely upon the Rowhammer bug, which is a vulnerability in memory hardware that can enable attackers to induce bit flips in memory they do not have access to. Our work demonstrates that these bit flips are widespread in GPU memory and that they pose a severe threat. By conducting an attack against the GPU's memory allocator that allows us to flip bits in the GPU's page tables, we show how an attacker can gain arbitrary read/write access to the CPU's memory. This results in a complete compromise of the machine, allowing the attacker to modify memory at will and open a root shell to take over the machine.

Both of these papers will be presented at the 47th IEEE Symposium on Security and Privacy in May, 2026.

GDDRHammer:

Greatly Disturbing DRAM Rows -- Cross-Component Rowhammer Attacks from Modern GPUs

In this work, we provide a Rowhammer characterization of 25 GDDR6 GPUs, including Ampere and Ada 6000 GPUs. We develop new techniques for bypassing in-device Rowhammer mitigations to conduct double-sided hammering utilizing the GPU's parallelism, producing on average ~64x more flips than previously found.
We also discover an exploit in the default memory allocator (i.e., cudaMalloc) that breaks the isolation of page tables and user data on the GPU. We then use a bit flip to overwrite a GPU page table entry, allowing a user to leverage the GPU to gain read/write access to all of CPU memory.

Our Team
UNC Chapel Hill
Georgia Institute of Technology
Mohamed bin Zayed University of Artificial Intelligence
Read the Paper Code Cite
GeForge Logo

GeForge:

Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit

By corrupting GPU page table translations via GDDR6 bit flips, GeForge enables arbitrary read/write access to the GPU memory space and even the host memory when the IOMMU is disabled. Building on this capability, GeForge allows an unprivileged user to obtain a root shell.
To realize GeForge, we propose several key techniques: a memory-massaging strategy that steers GPU page tables toward vulnerable bits, a non-uniform Rowhammer pattern that found more bit flips, and a page-anchoring technique that locates GPU physical addresses at runtime.

Our Team
Purdue
Clemson
ru
UWA
hydroxai
Read the Paper Code Cite

Exploit Demo

Both GDDRHammer and GeForge can gain arbitrary read/write access to CPU Memory. Here is an exploit demo of Geforge using this to open a root shell.

Frequently Asked Questions

Hide/Show All

Just like how computers use some amount of DRAM for their physical memory, GPUs also use DRAM for their own physical memory. The form factor is different, however, thus the prefix GDDR. GDDR6 is a specification for this memory type, and is the main type of GDRR in GPUs released in the last few years. We believe any system employing modern GPU with GDDR6 memory may be susceptible to this attack.

Rowhammer is a DRAM reliability error where repeated accesses to a DRAM row can cause bits to flip in neighboring rows. Rowhammer can be used to violate many security policies employed in a system. To combat this, DRAM manufacturers all implement hardware level mitigations in their memory. Conducting a successful Rowhammer attack requires the attacker to reverse engineer these proprietary mitigations.

Because the illegal privileges are granted on the GPU side and the attack occurs at the hardware level, it is unlikely that an antivirus would catch this attack.

One temporary solution is to enable Error Correcting Codes (ECC) on your GPU. NVIDIA allows this to be done via the command line. However, ECC reduces the overall amount of workable memory and incurs some overhead. Additionally, Rowhammer attacks have been able to overcome ECC mitigations, as shown in attacks like ECCploit and ECC.fail.

One main difference is that GDDRHammer exploits the last level page table (PT) and GeForge exploits the last level page directory (PD0). However, both works are able to achieve the same goal of hijacking the GPU page table translation to gain read/write access to the GPU and host memory.

Currently, no. A100 (HBM2) and H100 (HBM3) feature on-die ECC, which likely masks single-bit flips. However, future Rowhammer patterns causing multi-bit flips may bypass such ECC, as shown in attacks like ECCploit and ECC.fail.

Yes. Some concurrent related work was also conducted independently in GPUBreach.

Miscellaneous

Yes, with rights waived via CC0. You can download the logo here:
GDDR PNG, GDDR SVG, GeForge,GeForge SVG

Acknowledgments

GDDRHammer was supported by the Air Force Office of Scientific Research (AFOSR) under award number FA9550-24-1-0079; the Alfred P. Sloan Research Fellowship; and gifts from Qualcomm and Zama. GeForge was supported in part by the National Science Foundation under grants CNS-2443671, OAC-2530649, and CNS-2145744.