The old Rowhammer vulnerability just took another worrying step forward. Two research groups have independently demonstrated that certain NVIDIA GPUs with GDDR6 memory can be exploited as an entry point not only to compromise the device’s own memory but also to access the host system’s main memory. The projects, grouped under the names GDDRHammer and GeForge, claim that an unprivileged user running code on the GPU could achieve arbitrary read and write access to the CPU’s memory, resulting in a full machine takeover.
What’s significant here isn’t just that Rowhammer remains relevant more than a decade after its discovery in traditional DRAM, but that it is now making a significant leap into the graphics domain. The researchers’ technical divulgence website, gddr.fail, states that both teams managed to corrupt GPU page tables via bit-flips in GDDR6, paving the way for host memory access. NVIDIA had already published a security note in July 2025 acknowledging Rowhammer risks in products with certain memory configurations and recalling mitigations like system-level ECC.
From a reliability flaw to a pathway for total escalation
According to the public explanation from GDDRHammer, the attack exploits new hammering patterns and techniques to bypass internal device mitigations, achieving a much higher number of bit-flips than previously observed in GPU-focused research. The team reports having characterized 25 GDDR6 GPUs, including professional models from the Ampere and Ada families, and describes a flaw in the default memory allocator (cudaMalloc) that would break isolation between page tables and user data within the GPU. Once address translation is corrupted, the attacker could use the GPU itself to read and write across CPU memory.
GeForge reaches a similar conclusion through a different technical route. Their public summary indicates that the attack corrupts GPU page table translations via bit-flips in GDDR6, and when IOMMU is disabled, this arbitrary access can extend to host memory, eventually opening a root-level shell. The researchers’ portal even shows a demonstration of this exploitation, emphasizing that the ultimate goal isn’t to alter neural networks or degrade computing performance, but to directly break down the boundary between GPU and CPU.
Additionally, a third research thread, GPUBreach, has been publicly shared via Ars Technica. This approach combines Rowhammer on the GPU with security flaws in NVIDIA’s driver to escalate privileges even with IOMMU enabled. Since this third work isn’t detailed on the publicly available gddr.fail site, it should be treated more cautiously and as an additional extension reported by Ars, rather than part of the core technical research.
Which cards are confirmed affected?
It’s important to distinguish between what has been demonstrated and what remains hypothetical. The gddr.fail site and their technical coverage point to the GeForce RTX 3060 and professional/workstation GPUs from the RTX 6000 / RTX A6000 family with GDDR6, particularly from the Ampere generation, as publicly exploited cases. NVIDIA’s security note from 2025 explicitly mentioned a potential attack on an NVIDIA A6000 GPU with GDDR6 Memory and indicated that research from the University of Toronto showed mitigation by enabling System-Level ECC.
However, there’s no public evidence to suggest that all modern NVIDIA GPUs are vulnerable. The gddr.fail page itself states that they believe any modern system with a GPU and GDDR6 might be susceptible, but this is not a definitive list of models. They also clarify that, so far, A100 with HBM2 and H100 with HBM3 have shown no vulnerabilities in their tests, likely because on-die ECC masks single-bit flips. Still, the authors do not rule out future scenarios with more aggressive patterns.
NVIDIA adds another important detail: memory generations like DDR4, LPDDR5, HBM3, and GDDR7 include On-Die ECC that provides indirect protection against Rowhammer. The manufacturer’s public list mentions the GeForce RTX 50 series with GDDR7 under this protection, significantly reducing the temptation to extend this alarm to newer cards without supporting technical data. As of today, the core of the public concern mainly revolves around GDDR6 implementations, rather than GDDR6X, GDDR7, or HBM generally.
Mitigations: ECC and IOMMU, but with limitations
The most common mitigations are enabling system-level ECC on the GPU and activating IOMMU in BIOS or host configurations. The gddr.fail FAQ recommends ECC as a temporary solution, but notes that it reduces available memory and introduces some performance overhead. NVIDIA agrees, stating that System-Level ECC is one of the recommended defenses to limit or block exploitation.
For IOMMU, the GDDRHammer and GeForge teams see it as an effective defense to limit the GPU’s access to host memory, blocking the primary CPU-GPU pathways exploited in those attacks. However, Ars points out that GPUBreach appears to have found a route that doesn’t depend solely on IOMMU being disabled, relying also on driver vulnerabilities. This means IOMMU remains highly recommended but is not an absolute safeguard against future variants.
The most prudent conclusion isn’t immediate panic for everyday users but recognizing that shared GPUs, workstations, and cloud environments with pooled accelerators now face an added risk front. Most importantly, classic defenses against Rowhammer can no longer be viewed as only software or CPU-centric; graphics memory defenses must also be integrated — as the GDDRHammer authors emphasize, any serious mitigation strategy will need to consider GPU memory as well.
Frequently Asked Questions
Which NVIDIA GPUs are confirmed to be affected by these attacks?
Public demonstrations have focused on the GeForce RTX 3060 and professional/workstation models like the RTX 6000 / RTX A6000 with GDDR6, especially from the Ampere generation. Research suggests other GDDR6 GPUs might be vulnerable too, but there’s no official exhaustively confirmed list of models.
Does this problem also affect GDDR7 or HBM?
Based on current publicly available information, there’s no equivalent evidence to support that. NVIDIA states that GDDR7 and other modern memories include On-Die ECC, and the researchers’ site notes that A100 (HBM2) and H100 (HBM3) did not show vulnerabilities in their tests.
Does enabling IOMMU solve the issue?
It clearly reduces the risk in the attack scenarios presented by GDDRHammer and GeForge because it limits the GPU’s access to host memory. However, Ars explains that GPUBreach appears to have developed a route that works even with IOMMU active, relying on driver flaws. Thus, while IOMMU remains very advisable, it shouldn’t be considered an absolute safeguard against all future variants.
Is enabling ECC on the GPU a good idea?
Yes. It’s one of the best-proven mitigations, recommended by NVIDIA and the researchers alike, though it comes with costs: it reduces available memory and may impact performance. The GDDR.fail FAQ also notes that older Rowhammer attacks could bypass some ECC implementations, so it’s not a foolproof solution.
Sources: arstechnica, videocardz, and Gddr.fail