GPUBreach Attack Achieves Root Shell Access, System Compromise
Key Takeaways A new vulnerability, dubbed GPUBreach, allows attackers to achieve root shell access and complete system compromise. The attack leverages GPU Rowhammer techniques to corrupt GDDR6...
Key Takeaways
- A new vulnerability, dubbed GPUBreach, allows attackers to achieve root shell access and complete system compromise.
- The attack leverages GPU Rowhammer techniques to corrupt GDDR6 memory page tables.
- GPUBreach uniquely bypasses IOMMU defenses, enabling CPU privilege escalation even in protected environments.
- The vulnerability impacts various computing domains, including AI workloads and cryptographic key security.
- Responsible disclosure was made to major vendors in November 2025, with ECC memory offering only partial protection.
A critical vulnerability, identified as GPUBreach, has been disclosed, enabling threat actors to gain full system control, including a root shell. This exploit significantly elevates the capabilities of GPU Rowhammer attacks, transforming them from localized data corruption methods into potent privilege escalation vectors.
Table Of Content
Researchers from the University of Toronto are slated to present their findings at the IEEE Symposium on Security and Privacy. Their work demonstrates how GPUBreach moves beyond simply introducing random bit flips, which previously degraded machine learning models, to execute targeted bit manipulations within GDDR6 memory, specifically corrupting GPU page tables.
The attack meticulously manipulates Unified Virtual Memory (UVM) allocations to position page tables adjacent to vulnerable memory rows. Once a Rowhammer bit-flip successfully alters an entry in a page table, the attacker achieves arbitrary read and write access across the entire GPU memory architecture.
Bypassing IOMMU Defenses
One of the most concerning aspects of GPUBreach is its capacity to bridge the divide between the GPU and CPU without requiring the Input-Output Memory Management Unit (IOMMU) to be disabled. Conventional hardware security measures rely on the IOMMU to restrict Direct Memory Access (DMA), thereby preventing unauthorized CPU access to memory regions.
However, GPUBreach circumvents these protections by corrupting trusted metadata embedded within legitimate NVIDIA driver buffers. This manipulation triggers memory-safety flaws within the kernel driver, leading to out-of-bounds writes that ultimately grant the attacker a CPU root shell.
GPUBreach emerged concurrently with other research projects, GDDRHammer and GeForge. While all three studies successfully demonstrate GPU page-table corruption, GPUBreach distinguishes itself as a significantly more dangerous threat. GeForge, for instance, necessitates the complete disabling of IOMMU protection to access CPU memory, and GDDRHammer fails to achieve full CPU privilege escalation. By successfully exploiting the driver to bypass an active IOMMU, GPUBreach presents a highly realistic attack path against hardened production environments.
A demonstration video of the GPUBreach attack shows the exploit in action.
The researchers from the University of Toronto emphasize that the ramifications of a successful GPUBreach attack are profound across numerous computing domains. On the GPU side, attackers could launch cross-process attacks and exfiltrate sensitive post-quantum cryptographic keys from libraries such as NVIDIA cuPQC.
For artificial intelligence workloads, the attack has the potential to silently degrade machine learning model accuracy to zero or leak confidential weights from Large Language Models (LLMs). Crucially, the ability to spawn a root shell means the entire host system is entirely compromised. The research team responsibly disclosed their findings to NVIDIA, Google, AWS, and Microsoft in November 2025.
Google acknowledged the findings with a bug bounty, noting that enabling ECC memory on GPUs, such as the NVIDIA RTX A6000, can correct single-bit errors. However, ECC memory is not a foolproof defense against GPUBreach, as complex attack patterns inducing multiple bit flips can bypass ECC, leaving even protected systems vulnerable to silent data corruption and exploitation.
What You Should Do
- Review GPU driver versions and apply any available security updates from NVIDIA or other GPU vendors.
- Consider deploying GPUs with ECC memory where possible, understanding its limitations against advanced Rowhammer techniques.
- Implement robust host-based intrusion detection systems to monitor for unusual activity that might indicate a GPU-to-CPU privilege escalation.
- Exercise caution with untrusted workloads or applications running on systems with dedicated GPUs.
- Stay informed about further advisories and patches related to GPU vulnerabilities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.