A team of researchers from the University of Toronto has devised a new technique, dubbed ‘GPUBreach,’ that leverages GPU memory vulnerabilities to escalate privileges and potentially compromise systems. The findings will be formally presented at the IEEE Symposium on Security & Privacy 2026 on April 13 in Oakland.
GPUBreach is based on the Rowhammer technique used against system RAM, and applies it to GPU GDDR6 memory. By inducing targeted bit flips, the researchers demonstrated that attackers can corrupt GPU page table entries (PTEs), granting arbitrary memory read and write access to an unprivileged CUDA kernel.
Once GPU memory access is achieved, attackers can exploit memory-safety flaws in drivers from NVIDIA to pivot to the CPU side, ultimately gaining full system control. The attack bypasses the Input-Output Memory Management Unit (IOMMU) protections, a hardware safeguard designed to prevent unauthorized direct memory access.
“GPUBreach shows that GPU Rowhammer attacks can move beyond data corruption to real privilege escalation,” the researchers explained. “By corrupting GPU page tables, an unprivileged CUDA kernel can gain arbitrary GPU memory read/write, and then chain that capability into CPU-side escalation by exploiting newly discovered memory-safety bugs in the NVIDIA driver. The result is system-wide compromise up to a root shell, without disabling IOMMU, unlike contemporary works, making GPUBreach a more potent threat.”
The same team previously introduced GPUHammer, the first demonstration that Rowhammer attacks are possible on GPUs. While GPUHammer could be mitigated by fixes like turning on error-correcting code (ECC), GPUBreach allows full privilege escalation without needing to disable IOMMU.
The researchers tested the attack on an NVIDIA RTX A6000, a high-performance GPU commonly used in artificial intelligence workloads. They disclosed their findings in November 2025 to NVIDIA, Google, AWS, and Microsoft, and other major players in the industry. Google acknowledged the report and awarded the team a $600 bug bounty.
NVIDIA said it may revise its July 2025 security advisory to address the new attack vectors.