Rowhammer Attacks Grant Full Control of Host Systems via NVIDIA Ampere GPUs
What Happened — Independent research teams demonstrated two row‑hammer exploits (GDDRHammer and GeForge) against NVIDIA Ampere‑generation GPUs (RTX 3060, RTX 6000, RTX A6000). By inducing bit‑flips in GDDR6 memory, the attackers can corrupt GPU page tables, gain arbitrary read/write of CPU memory, and obtain a root shell on the host. A later variant works even when IOMMU is enabled.
Why It Matters for TPRM —
- Enables full system compromise of any environment that relies on vulnerable NVIDIA GPUs (cloud, AI/ML, HPC, gaming, finance).
- Bypasses traditional isolation mechanisms; default BIOS settings leave IOMMU disabled, widening the attack surface.
- No public patches or CVE identifiers yet, creating an urgent need for risk mitigation before a vendor‑issued fix.
Who Is Affected — AI/ML platforms, cloud service providers, data‑center operators, financial‑services firms, research institutions, and any organization deploying NVIDIA Ampere GPUs.
Recommended Actions —
- Verify IOMMU is enabled in BIOS/UEFI on all systems using NVIDIA GPUs.
- Apply any firmware or microcode updates released by NVIDIA as soon as they become available.
- Conduct inventory of GPU models in use; prioritize mitigation for Ampere‑generation cards.
- Review segmentation and least‑privilege controls around GPU workloads.
- Monitor vendor advisories and security mailing lists for patches or mitigations.
Technical Notes — The attacks exploit the classic Rowhammer effect on GPU‑attached GDDR6 DRAM, flipping bits to corrupt last‑level page tables (GDDRHammer) or page directories (GeForge). No CVE has been assigned; the vulnerability resides in hardware memory‑access patterns and default IOMMU configuration. Source: Schneier on Security