430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

GPUBreach exploit uses GPU memory bit-flips to achieve full system takeover

GPUBreach attack technique uses GPU memory bit-flips to escalate privileges and potentially take full control of a system. New research shows that attacks like GPUBreach exploit RowHammer bit-flips in GPU memory (GDDR6) to go beyond data corruption. Attackers can use this technique to escalate privileges and, in some cases, gain full control of the system. […]

GPUBreach

GPUBreach attack technique uses GPU memory bit-flips to escalate privileges and potentially take full control of a system.

New research shows that attacks like GPUBreach exploit RowHammer bit-flips in GPU memory (GDDR6) to go beyond data corruption. Attackers can use this technique to escalate privileges and, in some cases, gain full control of the system. Unlike earlier GPUHammer methods, this approach proves that GPU memory faults can directly impact CPU-level security, making the threat more serious.

“GPUBreach shows that GPU Rowhammer attacks can move beyond data corruption to real privilege escalation. By corrupting GPU page tables, an unprivileged CUDA kernel can gain arbitrary GPU memory read/write, and then chain that capability into CPU-side escalation by exploiting newly discovered memory-safety bugs in the NVIDIA driver.” reads the post published by the experts. “The result is system-wide compromise up to a root shell, without disabling IOMMU, unlike contemporary works, making GPUBreach a more potent threat.”

By targeting GPU page tables in memory, attackers can manipulate them through bit flips and gain full control over GPU memory.

Researchers overcame key challenges by locating page tables, efficiently filling memory, and placing them near vulnerable regions. This enables arbitrary read/write access, data theft (including cryptographic keys), and ML manipulation.

“Leakage of secret keys from NVIDIA cuPQC, a library used to accelerate post-quantum cryptography, when keys reside in GPU DRAM during operations such as key exchange.” continues the post. “By tampering with one branch in cuBLAS SASS in GPU memory, we universally drive accuracy down (for example from 80% accuracy to 0%), more stealthily than prior weight tampering attacks; we also showcase leakage of sensitive LLM weights.”

Critically, the attack can also escalate to CPU-level privileges, even with protections like input–output memory management unit (IOMMU) enabled, allowing attackers to gain root access and fully compromise the system.

GPUBreach, GDDRHammer, and GeForge all show that GPU Rowhammer can corrupt page tables and enable GPU-side privilege escalation. However, GPUBreach stands out because it also achieves CPU privilege escalation even with IOMMU enabled.

While GDDRHammer cannot reach CPU privilege escalation and GeForge requires disabling IOMMU, GPUBreach bypasses this protection by targeting bugs in the GPU driver. This allows attackers to gain root access without disabling key defenses, making it a more advanced and dangerous technique.

ECC can help mitigate Rowhammer by correcting single-bit errors and detecting double-bit flips, so enabling it on supported GPUs is recommended. However, it fails against multi-bit flips and may allow silent corruption. Consumer GPUs lack ECC, leaving them without effective protection.

“ECC is not a foolproof mitigation against GPUBreach.” concludes the researchers. “On desktop or laptop GPUs, where ECC is currently unavailable, there are no known mitigations to our knowledge”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)