Rowhammer Jumps to NVIDIA GPUs, Yielding Full Host Compromise

Three independent research teams have demonstrated Rowhammer attacks against NVIDIA Ampere GPUs that escalate from GDDR memory bitflips to full control of the host system’s CPU memory. The first two attacks, GDDRHammer and GeForge, target the RTX 3060 and RTX A6000 by corrupting GPU page tables and page directories in GDDR6 memory, granting arbitrary read/write access to GPU memory and, by extension, host CPU memory. GeForge’s proof-of-concept ends with a root shell on the host, executing arbitrary commands with full privileges.

GDDRHammer and GeForge both depend on IOMMU being disabled, which is the BIOS default on most systems. A third attack, disclosed shortly after, removes that constraint entirely and achieves root privilege escalation on the RTX A6000 even with IOMMU enabled, eliminating the main mitigation administrators might have relied on.

The significance is that Rowhammer, long studied as a CPU-DRAM problem, now cleanly crosses the component boundary. GPUs handling untrusted workloads — shared cloud instances, ML training environments, browser-driven WebGPU contexts — become a viable path to host takeover, and the standard defensive posture of trusting GDDR isolation no longer holds.