Researchers from the University of Toronto have introduced GPUBreach, a rowhammer attack targeting GDDR6-based NVIDIA GPUs that can bypass IOMMU and enable CPU-side privilege escalation. The attack stands apart from earlier GDDRHammer and GeForge techniques, which were largely mitigated by enabling IOMMU through the BIOS to limit the memory regions a GPU can access on the host system.
In typical server, workstation, and PC configurations, IOMMU restricts the GPU’s access to the CPU’s physical addresses and blocks the direct memory access patterns used in conventional DMA-based attacks. GPUBreach operates through a different path. Rather than relying on unrestricted access to host memory, it targets memory-safe bugs in the GPU driver and corrupts them while the GPU remains confined to driver-assigned buffers.
When IOMMU limits direct memory access to permitted buffers, the exploit corrupts metadata within those buffers. This causes the driver, which has kernel privileges enabled on the CPU host, to perform out-of-band writes to the buffer, effectively bypassing the protection IOMMU is designed to provide. Because this trust model is built into the kernel by default and the GPU driver is treated as one of the operating system’s most trusted components, corrupted metadata can turn the driver itself into the mechanism for the bypass.
The result is a more serious outcome than earlier rowhammer attacks against these GPUs. GPUBreach grants an attacker full root privilege escalation, shifting the impact from memory corruption alone to direct compromise of the host CPU side. That makes the attack notable not just for bypassing IOMMU, but for exploiting the interaction between GPU memory behavior and privileged driver logic on the host.