Cybersecurity researchers at the University of Toronto have achieved a breakthrough in hardware-level attacks by successfully demonstrating GPUHammer, the first Rowhammer attack specifically targeting discrete NVIDIA GPUs.
The research, which focuses on the popular NVIDIA A6000 GPU with GDDR6 memory, represents a significant expansion of the decade-old Rowhammer vulnerability beyond traditional CPU memories.
The research team, led by Chris S. Lin, Joyce Qu, and Gururaj Saileshwar, overcame substantial technical challenges to achieve what was previously thought impossible.
Their GPUHammer attack successfully induced 8-bit flips across 4 DRAM banks on the A6000 GPU, demonstrating that Graphics-DDR (GDDR) memories are indeed vulnerable to the same disturbance attacks that have plagued CPU memories for years.
“This is the first systematic Rowhammer campaign on NVIDIA GPUs,” the researchers stated in their paper. The attack required developing novel techniques, including reverse-engineering proprietary GDDR DRAM row mappings and creating GPU-specific memory access optimizations to amplify hammering intensity.
Real-World Impact on AI Systems
The implications extend far beyond academic research. The team demonstrated that these bit-flips can cause devastating accuracy degradation in machine learning models, with drops of up to 80% observed across popular neural networks, including AlexNet, VGG16, ResNet50, DenseNet161, and InceptionV31.
This vulnerability is particularly concerning given that GPUs power the majority of AI inference workloads in both cloud and enterprise environments.
The attack targets the most significant bit of the exponent in FP16-representation weights, exponentially altering parameter values and dramatically reducing model accuracy. In some cases, models with 80% baseline accuracy were reduced to less than 0.5% accuracy with a single strategically placed bit-flip1.
The researchers faced unique obstacles in adapting traditional Rowhammer techniques to GPU architectures. GPUs have approximately 4× higher memory latency compared to CPUs and faster refresh rates, making conventional hammering approaches ineffective.
The team solved this by developing parallelized hammering kernels that leverage GPU throughput capabilities, achieving activation rates close to 500,000 activations per refresh window1.
Additionally, the proprietary nature of GPU memory mappings required innovative reverse-engineering approaches. Unlike CPUs where physical addresses are accessible, NVIDIA GPUs keep these mappings private, forcing researchers to develop new methods for identifying vulnerable memory locations1.
NVIDIA’s Response and Mitigation
Following responsible disclosure on January 15, 2025, NVIDIA issued a comprehensive security advisory acknowledging the vulnerability. The company emphasized that System-Level ECC effectively mitigates the attack when enabled, though this protection comes with approximately 6.5% memory overhead and 3-10% performance impact1.
NVIDIA’s advisory covers multiple GPU generations, including Blackwell, Ada, Hopper, Ampere, Jetson, Turing, and Volta architectures. The company strongly recommends enabling System-Level ECC on professional and data center products, noting that it’s enabled by default on Hopper and Blackwell data center GPUs.
For newer GPU generations, On-Die ECC (OD-ECC) provides additional protection. This technology is automatically enabled on supported devices, including RTX 50 series consumer cards and the latest data center products, offering built-in resistance to Rowhammer attacks.
The research highlights a critical gap in GPU security as these processors become increasingly central to AI and high-performance computing. With NVIDIA commanding approximately 90% of the GPU market share, the vulnerability potentially affects millions of systems worldwide.
The timing is particularly significant as cloud providers increasingly offer GPU time-sharing services, creating multi-tenant environments where malicious actors could potentially target other users’ AI models or sensitive data residing in GPU memory.
While the researchers focused on the A6000 GPU, similar vulnerabilities may exist across other GPU architectures and memory types. The team noted that A100 GPUs with HBM2e memory and RTX 3080 devices showed no bit-flips in their testing, though this may be due to different threshold levels or enhanced mitigations rather than immunity.
The research underscores the importance of hardware-level security considerations in AI system design and the need for robust mitigation strategies as GPU computing continues to expand across critical applications.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now