New GPUBreach Attack Enables System-Wide Compromise Up to a Root Shell

A severe vulnerability, dubbed GPUBreach, that allows attackers to achieve a full system compromise, including a root shell.

Scheduled for presentation at the IEEE Symposium on Security and Privacy, researchers from the University of Toronto show that this exploit elevates GPU Rowhammer attacks from simple data corruption to critical privilege escalation.

Historically, GPU Rowhammer attacks were limited to degrading machine learning models by randomly flipping memory bits. GPUBreach advances this methodology by performing targeted bit flips in GDDR6 memory to corrupt GPU page tables.

By carefully manipulating Unified Virtual Memory (UVM) allocations, attackers can allocate page tables right next to vulnerable memory rows.

Once a Rowhammer bit-flip alters a page table entry, the attacker gains arbitrary read and write access across the entire GPU memory architecture.

Bypassing IOMMU Defenses

The most alarming aspect of GPUBreach is its ability to bridge the gap between the GPU and the CPU without requiring the Input-Output Memory Management Unit (IOMMU) to be disabled.

Standard hardware defenses rely on the IOMMU to restrict Direct Memory Access (DMA) and prevent unauthorized CPU access to memory. However, GPUBreach bypasses this by corrupting trusted metadata within the permitted NVIDIA driver buffers.

This manipulation triggers memory-safety bugs in the kernel driver, causing out-of-bounds writes that ultimately grant the attacker a CPU root shell.

GPUBreach emerged alongside concurrent research projects, GDDRHammer and GeForge. While all three studies successfully demonstrate GPU page-table corruption, GPUBreach stands out as a distinctly more potent threat.

GeForge requires the system’s IOMMU protection to be completely disabled to access CPU memory, and GDDRHammer fails to achieve full CPU privilege escalation.

By successfully exploiting the driver to bypass an active IOMMU, GPUBreach represents a highly realistic attack path against hardened production environments.

Researchers from the University of Toronto found that the consequences of a successful GPUBreach attack are severe across multiple computing domains.

On the GPU side, attackers can execute cross-process attacks and steal sensitive post-quantum cryptographic keys from libraries like NVIDIA cuPQC.

For artificial intelligence workloads, the attack can silently degrade machine learning accuracy to zero or leak confidential weights of Large Language Models (LLMs).

Most importantly, the ability to spawn a root shell means the entire host system is completely compromised. The research team responsibly disclosed the vulnerability to NVIDIA, Google, AWS, and Microsoft in November 2025.

Google awarded a bug bounty for the findings, noting that enabling ECC memory on GPUs like the NVIDIA RTX A6000 can correct single-bit errors.

It is not a foolproof defense against GPUBreach, as complex attack patterns causing multiple bit flips can bypass ECC, leaving even protected systems vulnerable to silent data corruption and exploitation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.