GoKawiilLast year, we covered the first known Rowhammer attack on GPUs, dubbed "GPUHammer," which proved that VRAM is also susceptible to bit flips. At the time, our story focused on how GPUHammer can cripple an AI model's accuracy from 80% to just 0.1% in an RTX A6000 with a single bit flip. Since then, two new Rowhammer attacks have surfaced that can gain root access to the CPU through your GPU, potentially compromising your entire system (story via Ars Technica).
These attacks are called "GDDRHammer" and "GeForge," as listed on the gddr.fail website. They both work quite similarly and share an identical end goal. But first, it's important to understand what Rowhammer is. Back in 2014, it was discovered that by constantly accessing rows of memory, you can induce a bit flip on purpose on neighboring rows. Since bits are stored as electrical charge, "hammering" them causes electrical interference that can flip 0s into 1s, or vice versa.
When a bit flips, a bad actor suddenly has a window to access higher privileges in the memory, from where the CPU can be compromised. Rowhammer has always been associated with CPUs because it began on DDR3 RAM and has expanded to more system memory types like DDR5 or DDR4 with ECC. It was only in late 2025 that a GPU was compromised for the first time when researchers attacked GDDR6 VRAM in an RTX A6000. Now, GDDRHammer is taking things one step forward.
Article continues below
The concept of forcing a bit flip is the same, but the hammering is smarter now and significantly more effective. Researchers used a technique called "memory massaging" to orchestrate a more controlled attack, which allowed them to push 129 flips per memory bank. It's called massaging because the attack steers the target data structures into memory regions that aren't protected against electrical disturbance (by the GPU drivers).
This is done to break the GPU's page tables that point it to physical addresses on the VRAM. Think of it as an app accessing the memory for another app that it has no control over; you're fooling the GPU into breaking its own boundaries. Once the page tables are corrupted and memory isolation is compromised, you gain complete control over the VRAM, allowing both read and write access.
GeForge builds upon GDDRHammer but was discovered by a different research team, who went even further and targeted the GPU's page directory instead of page tables. The directory points to these tables, so by inducing bit flips in this data structure, you're compromising the VRAM on an even deeper level. Furthermore, GeForge works even when IOMMU is disabled in the BIOS (more on this later).
(Image credit: gddr.fail)
The team was able to induce 1,171 bit flips on an RTX 3060 and 202 bit flips on an RTX A6000. That obviously cripples the GPU's memory, but according to the research paper, it also means that "an attacker can modify the page table on the GPU to point to memory on the CPU, thereby giving the attacker the ability to read/write all of the CPU’s memory as well, which of course completely compromises the machine.”
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
... continue reading