3 min read
Nvidia’s flagship RTX A6000 GPU has just become the first graphics processor confirmed vulnerable to Rowhammer attacks, sparking serious concerns for AI developers and enterprise users alike. A new security exploit, dubbed the GPUHammer attack, was demonstrated by researchers at the University of Toronto and will be presented at the upcoming Usenix Security Conference 2025.
This marks the first-ever successful Rowhammer attack on discrete GPUs, specifically targeting GDDR6 memory modules—memory long considered safer than traditional CPU DRAM chips.
GPUHammer: Rowhammer Hits the GPU World
Previously exclusive to CPU DRAM attacks, Rowhammer manipulates memory cells by rapidly and repeatedly accessing adjacent rows, forcing targeted “bit flips” from 0 to 1 or vice versa. Now, that same technique has been adapted for Nvidia GPUs, specifically on the RTX A6000, using GDDR6 video memory.
The attackers demonstrated that a single bit flip in a neural network model’s exponent could degrade model accuracy from 80% down to 0.1%. That’s enough to crash AI models used in autonomous driving, medical imaging, and malware detection.
“This is like inducing catastrophic brain damage in the model,” said co-author Gururaj Saileshwar. “A flipped bit in the exponent can entirely destroy AI prediction accuracy.”
Why Nvidia’s Mitigation Hurts Performance
In response to the vulnerability, Nvidia is urging users to enable ECC (Error-Correcting Code)—a mitigation that corrects single-bit errors in memory. But there’s a cost: the ECC setting can reduce performance by up to 10% and memory capacity by 6.25%.
Tasks using large memory loads, especially 3D U-Net ML models for healthcare applications, experience the heaviest slowdown. The bandwidth reduction between the GPU and its memory module accounts for a 12% performance hit in some benchmarks.
Cloud Providers At Risk of Rowhammer
The GPUHammer attack raises serious concerns for cloud environments like AWS, Runpod, and Lambda Cloud. It is because these environments have multiple users sharing the same GPUs. In such scenarios, a malicious actor could flip bits in another tenant’s model, potentially sabotaging sensitive workloads.
Although Amazon Web Services already enables ECC by default, many smaller providers do not, leaving a wide attack surface open for exploitation.
How the Attack Bypasses Traditional Safeguards
What makes GPUHammer unique is its ability to bypass multiple GPU-specific hardware protections. GDDR modules have higher refresh rates, deeper latency, and no public access to physical memory mappings. All of these were believed to make them immune to traditional Rowhammer methods.
However, the researchers reverse-engineered enough of Nvidia’s memory mapping to induce stable bit flips without needing privileged access.
Final Word: Is This Just the Beginning?
This research doesn’t just affect the RTX A6000. According to the authors, other Nvidia chips using GDDR6 may also be vulnerable. Even the latest GPUs equipped with GDDR7 or HBM3 do not guarantee protection against the GPUHammer attack.
“These protections haven’t been thoroughly tested against targeted Rowhammer attacks,” Saileshwar warned.
As the first confirmed Rowhammer exploit on GPU hardware, the GPUHammer attack raises fresh alarms in cybersecurity, especially for cloud, AI, and data center operators relying on high-performance graphics cards.
