Nvidia GPU Rowhammer Attack: Full Root Access, No Patch

Three newly demonstrated Rowhammer attacks on Nvidia GPUs can give any malicious cloud tenant full root control of an entire shared server — and right now, there is no patch available. For enterprises renting shared GPU instances to run AI workloads, this changes the threat model overnight.

The $8,000 Nvidia GPU a Stranger Can Now Fully Control

High-end Nvidia GPUs — cards like the H100 and A100 used in data centers — cost $8,000 or more each. Because of that price tag, cloud providers routinely share the same physical GPU card among dozens of different customers simultaneously, slicing compute time between tenants the same way traditional servers divide CPU time.

That sharing model just became a major liability. Researchers have demonstrated three new Rowhammer attack techniques that allow a low-privileged user — someone who has merely rented a slice of a shared GPU instance — to escalate their permissions all the way to root (root = complete administrative control over the entire host machine, not just their own assigned slice). From that position, they can access every other tenant's data, models, and credentials on the same physical server.

The attack family is called Rowhammer. Understanding how it works explains exactly why shared GPU environments are suddenly so exposed.

A Decade-Old Hardware Exploit, Now Targeting Nvidia GPUs

Rowhammer (named after the physical "hammering" motion the attack uses on memory chips) was first publicly demonstrated in 2014. Here is the core mechanic in plain English:

Modern DRAM (dynamic random-access memory — the standard RAM chip inside virtually every computer) stores data as tiny electrical charges inside millions of microscopic capacitors (think: miniature rechargeable batteries, one per memory bit). When you hammer — rapidly and repeatedly read — one row of memory cells, the electrical activity leaks into neighboring rows and causes accidental charge loss. The result: 0s flip to 1s and 1s flip to 0s in memory you are not supposed to be touching. Those accidental changes are called bit flips.

The 10-year evolution of Rowhammer looks like this:

• 2014: First public demo — researchers showed it was physically possible to flip bits in adjacent DRAM rows on real hardware
• 2015: Researchers weaponized bit flips to escalate an unprivileged user to root or escape a sandbox (sandbox = an isolated zone meant to keep untrusted code contained), targeting DDR3 memory
• 2015–2025: Dozens of new Rowhammer variants emerged, each adapting to DDR4, LPDDR4X, and other memory generations — over 10 years of continuous evolution
• 2026: The same attack class demonstrated for the first time against high-performance Nvidia GPU memory architectures

That progression is not a coincidence. Rowhammer is not a single bug — it is a category of hardware vulnerability that keeps evolving as memory technology changes. Researchers now believe GPU memory is just as susceptible as CPU-side DRAM.

Three Rowhammer Attacks, One Outcome: Full Root on the Host Machine

The research team demonstrated three distinct techniques, each exploiting a slightly different aspect of how Nvidia GPU memory is organized and timed. Full technical details have not yet been publicly disclosed, but the end result is consistent across all three methods.

A tenant with basic access to a shared Nvidia GPU instance uses one of these techniques to trigger targeted bit flips in memory outside their permitted zone. By flipping the right bits — specifically within page tables (page tables = the memory maps that tell the operating system which user owns which chunk of RAM) or security data structures — they can silently rewrite their own permission level from "regular tenant" to "root administrator."

Once at root, an attacker controls everything the GPU host machine can reach:

• All other tenants' proprietary model weights and training datasets
• API keys (API keys = authentication tokens that act as passwords for external cloud services) and credentials held in GPU or host memory
• Raw compute — the GPU can be hijacked for cryptomining or used as a launchpad for further attacks on other infrastructure
• All network traffic routing through the host server
• The hypervisor layer (hypervisor = the software that manages and isolates all tenant virtual machines on the physical server)

This is a fundamentally different threat from a typical software vulnerability. Rowhammer operates at the hardware level — below the operating system, below the hypervisor, below any software-based security control you can deploy. You cannot patch the physics of DRAM.

Cloud GPU Security for AI Workloads Just Changed Permanently

Until now, Rowhammer was treated as a CPU-side problem. GPU memory — GDDR6 and HBM2e (HBM = High Bandwidth Memory, ultra-fast RAM physically stacked directly on top of high-end GPU chips) — was architecturally different enough that it was widely assumed to fall outside Rowhammer's reach. That assumption is now gone.

The timing is particularly damaging. Enterprise demand for Nvidia GPU cloud instances has exploded alongside the AI automation boom. Companies fine-tune large language models (large language models = AI systems trained on massive text datasets, such as GPT-4 or Claude), run inference workloads, and store proprietary training data on shared GPU instances — all under the assumption that tenant isolation (tenant isolation = the security guarantee that one customer cannot access another customer's data or compute) is solid.

These three attacks break that guarantee at the hardware level. No patch has been publicly announced by Nvidia. No CVE identifiers (CVE = standardized vulnerability tracking numbers assigned by the global security community) have been published for these GPU-specific Rowhammer variants as of writing. Cloud providers running shared Nvidia GPU infrastructure — AWS, Google Cloud, Azure, and dozens of GPU-specialized providers — will need to evaluate their exposure independently.

What to Do Right Now if You Use Cloud GPUs for AI Automation

• Audit shared instances immediately — if your GPU instance is multi-tenant, treat it as insufficiently isolated until Nvidia or your cloud provider issues a formal response
• Request dedicated instances for any workload involving proprietary model weights, personal user data, or financial credentials (dedicated instance = a physical GPU card reserved exclusively for your organization, not shared with other customers)
• Watch Nvidia's security bulletins at nvidia.com/security — official patch guidance will appear there first
• Ask your cloud provider directly how they isolate GPU tenants and what hardware-level mitigations they plan to deploy
• Follow the research disclosure — the full technical writeup will clarify which specific GPU models and memory configurations carry the highest risk

The era when shared GPU infrastructure could be treated like shared CPU infrastructure — with software isolation assumed to be "good enough" — is over. If you handle sensitive data on cloud GPUs, dedicated hardware is the only reliable mitigation available right now. Our cloud AI security setup guides walk through how to evaluate your options without needing a security engineering background. Start there today — before the next tenant on your shared GPU decides to look around.

Related Content — Get Started | Guides | More News