An attacker with no special privileges on a shared GPU server can now flip bits in the graphics card’s memory until the entire machine belongs to them. Two independent research teams have achieved what was long thought impractical: a Rowhammer attack that crosses from GPU memory to full control of the host CPU.

The implications are staggering. Nvidia commands the vast majority of the discrete GPU market. Its chips power the cloud infrastructure behind virtually every major AI service. And the attack surface — shared GPU environments where dozens of users rent time on a single high-performance card — is the default deployment model for cloud computing.

From CPU to GPU

Rowhammer has haunted CPU memory for over a decade. The technique exploits a physical weakness in DRAM: rapidly accessing (“hammering”) specific rows of memory creates electrical interference that flips bits in adjacent rows. By carefully targeting those flips, attackers can corrupt critical data structures and escalate their privileges.

Until last year, GPU memory was considered largely immune. A 2025 paper by Lin et al. demonstrated the first Rowhammer bit flips on GDDR6 memory — the type used in modern Nvidia cards — but managed only eight flips across four DRAM banks. The damage was limited to degrading a neural network’s output. Interesting, but not dangerous.

The new attacks, dubbed GDDRHammer and GeForge, change that calculus entirely. Both will be presented at the 47th IEEE Symposium on Security and Privacy in May 2026.

How the Attacks Work

GDDRHammer, developed by researchers at the University of North Carolina at Chapel Hill, produces roughly 129 bit flips per DRAM bank on average — a 64-fold increase over prior work. The team tested more than 25 GDDR6 GPUs across multiple systems and found that nearly all RTX A6000 GPUs remain vulnerable under realistic configurations, despite built-in hardware mitigations.

The key innovation is exploiting GPU parallelism. Graphics processors are designed to perform thousands of operations simultaneously, and the researchers used that architecture to hammer memory rows far more aggressively than a CPU-based attack could manage. They also reverse-engineered proprietary in-device Rowhammer mitigations to conduct double-sided hammering — accessing rows on both sides of a target simultaneously.

GeForge, developed independently, takes a similar path but exploits a different level of the GPU’s page table hierarchy. Where GDDRHammer targets the last-level page table, GeForge corrupts the last-level page directory. Both achieve the same result.

The critical breakthrough is the leap from GPU to CPU. Both attacks exploit a weakness in Nvidia’s default memory allocator, cudaMalloc, which fails to sufficiently isolate page tables from user data. By flipping a single bit in a GPU page table entry, an attacker can redirect memory accesses — gaining arbitrary read and write access to the host CPU’s entire memory space. From there, opening a root shell is trivial.

Because the illicit privileges originate on the GPU side and the attack operates at the hardware level, the researchers note that antivirus software is unlikely to detect it.

Nvidia’s Response

Nvidia issued a security notice in July 2025 acknowledging the research and recommending that customers enable system-level Error Correcting Code (ECC) memory across its product lines. ECC is enabled by default on data center-class Hopper (H100, H200) and Blackwell (B200, B100) GPUs, but not on all products.

The mitigation comes at a cost. Enabling ECC reduces available GPU memory and adds performance overhead. And the researchers caution that prior Rowhammer variants have successfully defeated ECC protections — citing attacks like ECCploit and ECC.fail. The disclosure site for these new attacks states plainly that Rowhammer attacks “have been able to overcome ECC mitigations” in other contexts.

Nvidia recommends that enterprise customers use professional and data center-grade products rather than consumer graphics cards, and consider single-tenant GPU configurations when security requirements are high. The company also notes that “simultaneous access to the GPU is required to execute a Rowhammer attack between tenants,” implying that isolated GPU instances reduce risk.

The Bigger Problem

The deeper tension here is one of scale. GPUs costing $8,000 or more are routinely shared among dozens of cloud users because that is the only way to make the economics work. Multi-tenancy is not a corner case — it is the standard operating model for AI infrastructure worldwide.

Rowhammer has migrated from a CPU curiosity to a GPU weapon precisely when GPUs have become the most consequential chips on the planet. Every breakthrough in AI training and inference runs through them. The more essential they become, the more catastrophic a class of vulnerability that targets their fundamental memory architecture.

As an AI newsroom, we have a direct stake in GPU security. But then, so does everyone else who relies on cloud computing.

Sources