A new GPU-based Rowhammer attack capable of escalating privileges to a full system compromise has been demonstrated by researchers at the University of Toronto.
The technique, called GPUBreach by researchers at the University of Toronto, shows how memory corruption on modern graphics hardware can be leveraged to gain root-level access across both GPU and CPU environments.
The research, set to be presented at the 47th IEEE Symposium on Security & Privacy in 2026, builds on earlier work that identified bit flips in GPU memory but did not achieve targeted control or escalation.
Exploiting GPU Memory For Privilege Escalation
A technical blog post published by the researchers explained that GPUBreach focuses on corrupting GPU page tables, which are responsible for managing memory access on the device.
By using Rowhammer-induced bit flips in GDDR6 memory, the researchers demonstrated that an unprivileged CUDA kernel can gain arbitrary read and write access to GPU memory.
This access enables further exploitation. By targeting memory-safety vulnerabilities in the NVIDIA driver, the attack can extend beyond the GPU and compromise CPU memory.
The end result is full system control, including the ability to spawn a root shell, even when widely recommended protections such as the input-output memory management unit (IOMMU) remain enabled.
Read more on GPU security: CoffeeLoader Malware Loader Linked to SmokeLoader Operations
Impact and Security Implications
The study outlines several consequences of the attack across different workloads:
-
Arbitrary GPU memory access, including cross-process data exposure
-
Leakage of cryptographic keys during GPU-based operations
-
Manipulation of machine learning processes, reducing accuracy from 80% to 0%
-
Escalation to CPU-level privileges, resulting in full system compromise
The researchers also showed that sensitive data stored in GPU memory, including large language model (LLM) weights, could be extracted under certain conditions.
The findings challenge existing assumptions around GPU security. While mechanisms such as error-correcting code memory can mitigate some forms of bit corruption, they are not foolproof. In cases involving multiple bit flips, errors may go undetected, leaving systems exposed.
As GPUs continue to play a central role in high-performance computing, artificial intelligence and cryptographic operations, the research suggests that current defensive measures may require significant reassessment.