The security community has long known Rowhammer as a dangerous class of hardware attacks targeting CPU-attached DDR memory. Now, researchers from the University of Toronto document that similar techniques work against GDDR6 memory in Nvidia GPUs – with potentially serious consequences for data centers and cloud platforms worldwide.
Two Attack Methods – One Common Threat
The two new attack variants are called GDDRHammer (also referred to as GPUHammer) and GeForge. Both methods manipulate GPU memory in a way that ultimately compromises the CPU and the entire host machine, according to Ars Technica.
The Rowhammer principle is well-known: by hammering repeated read or write operations against specific memory cells in DRAM, electrical interference can cause so-called bit-flips in neighboring cells – where a stored 0 suddenly becomes a 1, or vice versa. Although this has theoretically been known for CPU memory for many years, it has now been practically demonstrated against GDDR6 in GPUs.
The researchers performed the attack on an Nvidia RTX A6000 (48 GB GDDR6) without activated ECC protection, observing up to eight separate bit-flips distributed across four DRAM banks. The minimum number of activations to trigger a flip was approximately 12,000, according to the research documentation.
A single bit-flip can degrade an AI model's accuracy from 80% to under one percent.
Consequences: From Data Corruption to Privilege Escalation
For AI and machine learning workloads, the consequences are potentially dramatic. According to the research material, one bit-flip can be enough to collapse the performance of a trained model – which in practical attack scenarios could mean sabotage of critical inference systems.
Beyond model corruption, successful attacks can result in:
- Denial-of-service against GPU-accelerated workloads
- Data loss and corruption in sensitive computations
- Privilege escalation, which in the worst case gives the attacker full control over the host machine
Nvidia Recommends ECC – But It Comes at a Performance Cost
Nvidia's primary recommendation is clear: activate System-Level Error-Correcting Code (ECC) on affected products. ECC adds redundant bits to memory operations and automatically corrects single-bit errors before they can cause damage.
ECC can be activated via the command-line tool nvidia-smi, or managed out-of-band through BMC and Redfish API for server installations.
Newer architectures like the Blackwell RTX 50-series and certain Hopper-based data center graphics cards come with built-in on-die ECC and require no user settings. For older generations – including Volta (V100), Turing, Ampere, and Ada – ECC must be activated manually.
Experts: Not Easy to Exploit, But Real
Johannes Ullrich at the SANS Institute emphasizes that Rowhammer attacks are not trivial to execute, and that they will most likely occur in "highly targeted attacks" rather than widely exploited exploits. He nevertheless points out that any system using modern DDR memory is technically potentially vulnerable to Rowhammer, and that responsibility in cloud environments typically rests with cloud providers.
This means that the attack surface, although narrow, is real – and that the data center and cloud level are where the threat hits hardest.
What Should System Administrators Do?
For organizations operating Nvidia GPUs in data centers or workstations, the following should be considered immediately:
nvidia-smi or via BMC/Redfish APINvidia confirms that they have addressed the issue and points to ECC as a sufficient countermeasure for affected products.