“GPUBreach” is a Rowhammer Attack for GDDR6-Based NVIDIA GPUs That Bypasses IOMMU

Late last week, we reported on a new series of rowhammer bit-flip attacks targeting GDDR6-based NVIDIA GPUs. Most of these attacks can be mitigated by enabling IOMMU through the BIOS, which restricts the memory regions the GPU can access on the host system, thereby closing the primary attack path. However, researchers from the University of Toronto have introduced “GPUBreach,” which can bypass IOMMU and enable CPU-side privilege escalation, unlike the previous “GDDRHammer” and “GeForge” attacks. In most typical server, workstation, and even PC configurations, IOMMU restricts the GPU’s access to the CPU’s physical addresses, preventing direct memory access. These are the typical DMA-based attacks that the Input-Output Memory Management Unit protects users from. However, the new “GPUBreach” operates differently.

For example, “GPUBreach” exploits memory-safe bugs in the actual GPU driver and corrupts them. When IOMMU confines the GPU’s direct memory access to driver-assigned buffers, the new exploit corrupts metadata within these permitted buffers. This causes the driver, which has kernel privileges enabled on the CPU host, to perform out-of-band writes to the buffer, effectively bypassing any protection IOMMU can offer. This logic is built into the kernel by default, as the GPU driver is one of the most trusted components of the operating system. Hence, IOMMU bypass is possible when the metadata is corrupted. Since “GPUBreach” grants an attacker full root privilege escalation, the attack differs significantly from previous rowhammer attacks.

Researchers at the University of Toronto disclosed this attack to NVIDIA back in November 2025, as well as to hyperscalers like Google, AWS, and Microsoft. Newer NVIDIA GPUs are equipped with GDDR7 and HBM3/HBM4 memory, making them not susceptible to this attack. However, older GPUs with GDDR6 remain vulnerable, and NVIDIA may soon update their security disclosure. ECC memory helps with some of the GDDR6-based bit flips, but the technology is not immune. DRAM versions starting with DDR4, DDR5, LPDDR5, HBM3, and GDDR7 implement On-Die ECC (OD-ECC), which indirectly provides protection against rowhammer bit flips.