GPUBreach: Rowhammer-Style Attack on GDDR6 Memory Achieves Full System Takeover — Even With IOMMU Enabled

Summary

Researchers at the University of Toronto have disclosed GPUBreach, a devastating new class of Rowhammer attack that targets GDDR6 memory on NVIDIA GPUs. By inducing bit-flips in GPU page tables from an unprivileged CUDA workload, attackers can gain arbitrary read/write access to GPU memory — then pivot through NVIDIA driver bugs to achieve a full root shell on the host CPU.

The most alarming finding: GPUBreach bypasses IOMMU protections entirely. The attack corrupts trusted driver state within IOMMU-permitted buffers, triggering kernel-level out-of-bounds writes that sidestep the very hardware isolation mechanism that was supposed to prevent DMA attacks. Demonstrations were confirmed on the NVIDIA RTX A6000 and GeForce RTX 3060, while newer cards using GDDR6X, GDDR7, or HBM3/HBM4 memory appear unaffected.

The research has been accepted for presentation at the 47th IEEE Symposium on Security & Privacy (Oakland 2026), and NVIDIA was notified in November 2025. Major cloud providers have also been briefed.

Source

The Hacker News · Security Affairs · SecurityWeek

Commentary

This is a big deal for anyone running multi-tenant GPU infrastructure — cloud AI platforms, shared HPC clusters, analytics farms. The entire security model for GPU workload isolation assumed IOMMU was the backstop, and GPUBreach just proved that assumption wrong for a huge installed base of GDDR6 cards. Enabling ECC helps for single-bit flips, but consumer GPUs don’t even have the option.

Expect cloud providers to quietly accelerate their transition to HBM-based instances and start gating GDDR6 hardware to single-tenant configurations. For enterprises, this is yet another reminder that hardware-level security assumptions need continuous revalidation — especially when GPUs are no longer just rendering pixels.