Two independent research teams have demonstrated that Rowhammer attacks against Nvidia's Ampere GPUs can now achieve full system compromise, escalating from GPU memory corruption to complete control of the host CPU. The attacks, dubbed GDDRHammer and GeForge, exploit bit-flipping vulnerabilities in GDDR memory to gain arbitrary read/write access to all CPU memory. Unlike previous GPU Rowhammer research that achieved only eight bit flips and degraded neural network output, these new attacks deliver root-level system control—but only when IOMMU memory management is disabled, which remains the default BIOS setting.
This matters because high-performance GPUs costing $8,000+ are routinely shared among dozens of users in cloud environments. What started as a CPU-specific attack vector in 2014 has now crossed component boundaries, turning GPU compute into a potential backdoor to the entire system. The decade-long evolution of Rowhammer—from DDR3 exploits to DDR4 bypasses to network-based attacks—has reached a new milestone where GPU workloads can compromise the underlying infrastructure.
The research reveals a critical blind spot in AI infrastructure security. While cloud providers have hardened CPU memory and implemented various Rowhammer mitigations over the years, GPU memory remained largely overlooked. The attacks require physical access or malicious code execution on the GPU, limiting immediate risk, but demonstrate how shared AI infrastructure creates new attack surfaces that traditional security models don't address.
For developers running AI workloads on shared infrastructure, this highlights the importance of enabling IOMMU protections and understanding your cloud provider's GPU isolation mechanisms. The attack surface expands as AI moves from experimental to production—your neural network training job could theoretically be a vector for system compromise if proper isolation isn't in place.