New Rowhammer Attack Puts GDDR6-Powered NVIDIA GPUs at Risk

Rowhammer attacks exploit vulnerabilities in DRAM hardware by causing targeted bit-flips, allowing attackers to bypass memory isolation and gain control over a device. These attacks were initially focused on CPUs and their associated DDR memory, such as DDR4. However, recent research indicates that NVIDIA GPUs are also vulnerable due to the fragile nature of the GDDR6 memory they use, which directly compromises the CPU host. Two independent research teams have discovered ways to exploit this decades-old memory vulnerability against modern graphics hardware, with trouble extending beyond the GPU itself. The “GDDRHammer” and “GeForge” groups have each developed functional exploits that use Rowhammer bit-flips in NVIDIA GPUs with GDDR6 memory to gain complete control over the host CPU’s memory. This attack can perform bit-flips on some NVIDIA GPU models, ranging from the “Ampere” to “Ada Lovelace” families of cards.

An attacker who succeeds in this can read and write anything stored in the machine’s main memory. Both teams have also introduced new Rowhammer techniques specifically designed for GPU architecture, achieving a significantly higher rate of bit-flips on GDDR6 memory than previous methods. The critical step in both exploit chains involves targeting the GPU’s memory allocator, using controlled bit-flips to corrupt the GPU’s page tables. Once these page tables are compromised, the attacker gains arbitrary read and write access to CPU memory, breaking down the security boundary between the graphics subsystem and the rest of the machine. The end result is a full system compromise, as the attacker can manipulate memory at will and gain root access, achieving total control without interacting with privileged software paths. The affected GPUs include the GeForce RTX 3060, which experienced 1,171 bit-flips, and the RTX 6000 “Ada” GPU, which saw 202 bit-flips from the attack.

More GPUs are being tested, and the official website claims 25 NVIDIA GPUs were tested, with only a few showing signs of vulnerability. However, two mitigations exist. Enabling IOMMU through the BIOS closes the primary attack path by restricting which memory regions the GPU can access on the host system. This technology handles the translation of device-visible virtual addresses to physical host memory addresses and can completely fence off sensitive memory from peripheral devices. Another option is activating Error Correcting Codes on the GPU, which NVIDIA exposes through a command-line setting. However, enabling it reduces the pool of usable GPU memory and adds processing overhead, resulting in a performance penalty. Interestingly, no GPU with GDDR6X and GDDR7 memory is vulnerable, as the exploit only works with GDDR6.