Cybersecurity researchers at the University of Toronto have achieved a breakthrough in hardware-level attacks by successfully demonstrating GPUHammer, the first Rowhammer attack specifically targeting discrete NVIDIA GPUs. The research, which focuses on the popular NVIDIA A6000 GPU with GDDR6 memory, represents a significant expansion of the decade-old Rowhammer vulnerability beyond traditional CPU memories. The attack required developing novel techniques, including reverse-engineering proprietary GDDR DRAM row mappings and creating GPU-specific memory access optimizations to amplify hammering intensity. Unlike CPUs where physical addresses are accessible, NVIDIA GPUs keep these mappings private, forcing researchers to develop new methods for identifying vulnerable memory locations1. The timing is particularly significant as cloud providers increasingly offer GPU time-sharing services, creating multi-tenant environments where malicious actors could potentially target other users’ AI models or sensitive data residing in GPU memory. This technology is automatically enabled on supported devices, including RTX 50 series consumer cards and the latest data center products, offering built-in resistance to Rowhammer attacks. The team noted that A100 GPUs with HBM2e memory and RTX 3080 devices showed no bit-flips in their testing, though this may be due to different threshold levels or enhanced mitigations rather than immunity. The team demonstrated that these bit-flips can cause devastating accuracy degradation in machine learning models, with drops of up to 80% observed across popular neural networks, including AlexNet, VGG16, ResNet50, DenseNet161, and InceptionV31. Their GPUHammer attack successfully induced 8-bit flips across 4 DRAM banks on the A6000 GPU, demonstrating that Graphics-DDR (GDDR) memories are indeed vulnerable to the same disturbance attacks that have plagued CPU memories for years. GPUs have approximately 4× higher memory latency compared to CPUs and faster refresh rates, making conventional hammering approaches ineffective. The company strongly recommends enabling System-Level ECC on professional and data center products, noting that it’s enabled by default on Hopper and Blackwell data center GPUs. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. “This is the first systematic Rowhammer campaign on NVIDIA GPUs,” the researchers stated in their paper. The company emphasized that System-Level ECC effectively mitigates the attack when enabled, though this protection comes with approximately 6.5% memory overhead and 3-10% performance impact1. The research underscores the importance of hardware-level security considerations in AI system design and the need for robust mitigation strategies as GPU computing continues to expand across critical applications. Following responsible disclosure on January 15, 2025, NVIDIA issued a comprehensive security advisory acknowledging the vulnerability. While the researchers focused on the A6000 GPU, similar vulnerabilities may exist across other GPU architectures and memory types.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 12 Jul 2025 17:20:10 +0000