GPUBreach Attack Could Lead to Full System Takeover and Root Shell Access

Researchers at the University of Toronto have uncovered a new vulnerability dubbed “GPUBreach,” which demonstrates that GPU-based Rowhammer attacks can now achieve complete system compromise.

Scheduled for presentation at the IEEE Symposium on Security & Privacy in 2026, the findings reveal how manipulating GPU memory can lead to a full CPU root shell.

Most alarmingly, this exploit successfully bypasses standard hardware protections, marking a significant escalation in hardware-based threats.

How the Attack Unfolds

Previously, GPU Rowhammer attacks primarily caused localized data corruption, such as slightly degrading the accuracy of machine learning models. GPUBreach elevates this threat by specifically targeting GPU page tables located within GDDR6 memory.

The researchers reverse-engineered the NVIDIA driver to understand how these page tables are allocated and stored alongside standard user data. To execute the attack, threat actors utilize a timing side channel on Unified Virtual Memory (UVM) allocations to detect memory evictions. This exposes exactly when and where a new page table region is created.

By strategically freeing and filling memory, attackers can force GPU page tables to land immediately adjacent to vulnerable memory rows. A targeted Rowhammer bit-flip then alters a page-table entry, granting an unprivileged CUDA kernel arbitrary read and write access across all GPU memory.

With complete control over the GPU’s memory space, an attacker can execute devastating cross-process attacks.

Research Validation

The research team validated GPUBreach on an NVIDIA RTX A6000 graphics card, confirming several critical security impacts:

  • Attackers can extract secret cryptographic keys directly from the NVIDIA cuPQC post-quantum library during active key exchanges.
  • Malicious actors can stealthily degrade an AI model’s accuracy from 80% to zero by modifying a single code branch.
  • Threat actors can steal highly sensitive Large Language Model (LLM) weights residing in GPU DRAM.
  • The exploit chains GPU memory access into a full CPU root shell by triggering newly uncovered memory-safety bugs in the NVIDIA kernel driver.

The most significant operational breakthrough of GPUBreach is its ability to function while the Input-Output Memory Management Unit (IOMMU) remains active. The IOMMU is a foundational enterprise security defense that restricts which physical CPU addresses a PCIe device can access. Unlike previous research, this exploit does not require disabling the IOMMU, making it more viable in real-world scenarios.

Instead of bypassing the hardware IOMMU directly, GPUBreach manipulates the software layer. The exploit commands the compromised GPU to write data into specific driver-owned memory buffers that the IOMMU explicitly allows. However, the attack heavily corrupts the metadata within those trusted buffers. When the highly privileged NVIDIA kernel driver processes this poisoned metadata on the CPU, it triggers out-of-bounds writes.

This cleverly allows the attacker to gain full operating system control without triggering standard hardware security alarms, providing a stealthy and effective method for system compromise.

Related Articles

Back to top button