CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

GPUBreach attack leverages GDDR6 Rowhammer to escalate privileges and compromise systems via NVIDIA driver flaws

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Researchers from the University of of Toronto demonstrated the GPUBreach attack, a new Rowhammer-based technique that corrupts GDDR6 GPU page tables to grant unprivileged CUDA kernels arbitrary read/write access to GPU memory. The vulnerability is chained with memory-safety flaws in the NVIDIA driver to escalate privileges from an unprivileged context to full system compromise—including root shell access—without disabling IOMMU or relying on prior GPU Rowhammer research. The attack bypasses IOMMU protection by corrupting trusted driver state via GPU-controlled memory, making it effective even on systems with hardware memory isolation enabled. Demonstrated on NVIDIA RTX A6000 GPUs with GDDR6 memory, the technique enables cross-process data exposure, cryptographic key leakage, manipulation of ML processes (reducing accuracy from 80% to 0%), and extraction of sensitive data such as LLM weights. While ECC mitigation exists, it may fail to detect multiple bit-flips, leaving systems exposed. The research is scheduled for presentation at the 47th IEEE Symposium on Security & Privacy in 2026 and follows NVIDIA’s November 2025 notification of related risks.

Timeline

  1. 07.04.2026 00:44 2 articles · 1d ago

    GPUBreach attack enables full system compromise via GDDR6 Rowhammer on NVIDIA GPUs

    The University of Toronto researchers disclosed GPUBreach, a Rowhammer-based attack that corrupts GPU page tables in GDDR6 memory to grant unprivileged CUDA kernels arbitrary GPU memory access. The attack chains this GPU privilege escalation with memory-safety bugs in the NVIDIA driver to achieve full system compromise and root shell access without disabling IOMMU, bypassing hardware memory isolation. Demonstrated on NVIDIA RTX A6000 GPUs, the technique enables cross-process data exposure, cryptographic key leakage during GPU operations, and manipulation of machine learning processes reducing accuracy from 80% to 0%. Sensitive data such as large language model (LLM) weights stored in GPU memory could be extracted under certain conditions. Current ECC mitigation may fail to detect multi-bit flips, leaving systems exposed. The research is scheduled for presentation at the 47th IEEE Symposium on Security & Privacy in 2026, following NVIDIA’s November 2025 notification of related risks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TEE.Fail Side-Channel Attack Targets Intel and AMD DDR5 Secure Enclaves

A new side-channel attack, TEE.Fail, allows extraction of secrets from secure enclaves in Intel and AMD DDR5 systems. Researchers from Georgia Tech, Purdue University, and Synkhronix developed the attack, which uses an interposition device to inspect memory traffic and extract cryptographic keys. The attack affects Intel's SGX, TDX, and AMD's SEV-SNP with Ciphertext Hiding. The attack leverages the deterministic nature of AES-XTS encryption, enabling the extraction of data from confidential virtual machines (CVMs) and compromising attestation processes. The researchers demonstrated the attack's capability to undermine Nvidia's GPU Confidential Computing and extract private signing keys from OpenSSL's ECDSA implementation. Both AMD and Intel have stated that physical vector attacks are out of scope for their security measures, and no mitigations are planned.

Open in new tab

TEE.Fail attack exploits Intel, AMD, and NVIDIA CPUs

Academic researchers have developed a side-channel attack called TEE.Fail, which can extract secrets from the trusted execution environment (TEE) in Intel, AMD, and NVIDIA CPUs. The attack targets DDR5 systems and exploits weaknesses in modern implementations of Intel SGX, Intel TDX, and AMD SEV-SNP. The TEE is a highly secure area within the CPU designed to ensure the confidentiality and integrity of sensitive data. The attack requires physical access and root-level privileges, but no chip-level expertise. Researchers demonstrated the ability to forge attestations, extract private keys, and breach confidentiality. The attack is complex and less practical for average users but highlights significant vulnerabilities in confidential computing. The researchers reported their findings to Intel, AMD, and NVIDIA, who acknowledged the issues and are working on mitigations.

Open in new tab

Battering RAM Attack Bypasses Intel and AMD Cloud Security Protections

A group of academics from KU Leuven and the University of Birmingham have demonstrated a new vulnerability called Battering RAM. This vulnerability bypasses the latest defenses on Intel and AMD cloud processors, compromising Intel's Software Guard Extensions (SGX) and AMD's Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). The attack leverages a custom-built, low-cost DDR4 interposer hardware hack to stealthily redirect physical addresses and gain unauthorized access to protected memory regions. The vulnerability affects systems using DDR4 memory, particularly those relying on confidential computing workloads in public cloud environments. Successful exploitation can allow a rogue cloud infrastructure provider or insider with limited physical access to compromise remote attestation and enable the insertion of arbitrary backdoors into protected workloads. The vulnerability was reported to the vendors earlier this year, but defending against Battering RAM would require a fundamental redesign of memory encryption itself. The attack is an evolution of the previous BadRAM attack, which exploited physical address aliasing to modify and replay encrypted memory on AMD SEV-SNP systems. The Battering RAM attack introduces dynamic memory aliases at runtime, allowing it to bypass Intel's and AMD's mitigations for BadRAM. Researchers from Georgia Institute of Technology and Purdue University have demonstrated a new attack called WireTap that also bypasses Intel's SGX security guarantees. WireTap uses a DDR4 memory-bus interposer to passively decrypt sensitive data, exploiting Intel's deterministic encryption. The WireTap attack can extract an SGX secret attestation key, allowing an attacker to sign arbitrary SGX enclave reports. WireTap and Battering RAM attacks are complementary, focusing on confidentiality and integrity respectively. WireTap can be used to undermine confidentiality and integrity guarantees in SGX-backed blockchain deployments. Intel and AMD have acknowledged the exploits but consider physical attacks on DRAM out of scope for their current products. Intel's cryptographic integrity protection mode of Intel Total Memory Encryption-Multi-Key (Intel TME-MK) can provide additional protection against alias-based attacks. The researchers' exploits demonstrate that confidential computing is not invincible, and defenders should reevaluate threat models to better understand and prepare for physical attacks.

Open in new tab

Phoenix attack bypasses Rowhammer defenses in DDR5 memory

A new Rowhammer attack variant, Phoenix, bypasses DDR5 Rowhammer defenses in SK Hynix memory chips. The attack exploits specific refresh intervals and synchronization methods to flip bits, enabling privilege escalation, data corruption, or unauthorized access. The vulnerability, tracked as CVE-2025-6202, affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The attack was developed by researchers at ETH Zurich University and Google, who demonstrated its effectiveness on 15 DDR5 memory chips. The vulnerability allows attackers to gain root privileges in under two minutes on a commodity DDR5 system. The attack can exploit RSA-2048 keys of a co-located virtual machine to break SSH authentication and use the sudo binary to escalate local privileges to the root user. Mitigation involves tripling the DRAM refresh interval, but this may cause system instability.

Open in new tab

VMScape attack breaks guest-host isolation on AMD, Intel CPUs

A new speculative execution attack named VMScape allows malicious virtual machines (VMs) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs. The attack bypasses existing Spectre mitigations and threatens to leak sensitive data by leveraging speculative execution. It affects all AMD Zen 1 to Zen 5 processors and Intel’s Coffee Lake CPUs, but not Raptor Cove or Gracemont. The attack does not require compromising the host and works on unmodified virtualization software with default mitigations enabled on the hardware. The VMScape attack targets QEMU, the user-mode hypervisor component, by influencing indirect branch prediction in a host user process due to shared Branch Prediction Unit (BPU) structures. The attack uses a Spectre-BTI (Branch Target Injection) technique to misguide a target indirect branch in QEMU, enabling the leakage of secret data. The ETH Zurich research team reported the findings to AMD and Intel, who have released patches and security bulletins. Linux kernel developers have also released patches to mitigate the issue.

Open in new tab