Researchers have shown that Rowhammer is no longer just a CPU problem. Two separate attacks against Nvidia’s high-end Ampere GPUs can flip bits in GDDR memory, then turn that corruption into full control of the host machine – including root access – in systems where IOMMU is left off, which is the default in BIOS settings.
The attacks target Nvidia Ampere GPUs and affect systems where IOMMU is disabled by default. That makes the issue especially concerning for cloud environments and shared workstations, where one compromised GPU can potentially expose the host.
That’s a nasty escalation for hardware that often costs $8,000 or more and is routinely shared by multiple users in cloud environments. GPU security has spent years living in the shadow of CPU defenses, but these papers suggest that old assumptions about isolation do not travel well once the graphics card is allowed to influence memory outside its own sandbox.
GDDRHammer and GeForge target Nvidia Ampere GPUs
The two attacks are called GDDRHammer and GeForge. Both were demonstrated against Nvidia cards from the Ampere generation, specifically the RTX 3060 and RTX 6000, and both use novel hammering patterns plus ”memory massaging” to steer page tables into vulnerable memory.
GDDRHammer achieved an average of 129 flips per memory bank on the RTX 6000, far beyond last year’s GPUHammer result. GeForge went even further on the RTX 3060, inducing 1,171 bitflips, and the proof-of-concept ends with a root shell on the host. That is a much uglier outcome than the earlier GPU-only attacks, which mainly showed damage inside the graphics stack.
- Targeted GPUs: RTX 3060 and RTX 6000 from Nvidia’s Ampere generation
- Key requirement: IOMMU must be disabled
- Mitigations: enable IOMMU in BIOS and turn on ECC, with performance trade-offs
How the attacks jump from GPU memory to CPU memory
The trick is not just flipping bits. The attackers manipulate GPU page tables so the card can be redirected toward host physical memory, which breaks isolation between GPU contexts and the CPU. In plain English: once the GPU can be made to lie about where memory lives, the rest of the machine starts to fall over.
Nvidia stores those page tables in protected low-memory regions that are supposed to be out of Rowhammer’s reach. The papers show how an attacker can still maneuver allocations into vulnerable space, then corrupt the tables and forge access mappings. It is a clever reminder that security controls are only as good as the assumptions underneath them, and those assumptions age fast in hardware land.
What Nvidia users can do now
The practical fix is not glamorous: turn on IOMMU in BIOS, and consider enabling ECC on the GPU. Both reduce exposure, both cost performance, and both are exactly the sort of settings people skip when chasing compatibility or throughput. That default-off choice is looking more expensive by the day.
The researchers say only the RTX 3060 and RTX 6000 are known vulnerable so far, and there are no known cases of Rowhammer being used in the wild. Still, the pattern is familiar: first CPUs, then mobile devices, then memory types once thought safer, and now GPUs. The next question is whether newer Nvidia cards, and competing accelerators from other vendors, have inherited the same blind spot before the academic papers catch up.