GPUHammer (cyber attack on GPUs)

History

2025: Information on the emergence of GPUHammer cyber attacks

In July 2025, researchers from the University of Toronto talked about a new type of RowHammer attack called GPUHammer, which is a modification of the known RowHammer vulnerability and allows data integrity in the memory of Nvidia GPUs, including models with GDDR6 memory, such as A6000. The attack allows an attacker with access to a common GPU infrastructure to manipulate other users' data, causing bit flips in the device's memory. The consequence of this attack turned out to be especially alarming: scientists have shown that only one bit failure can reduce the accuracy of neural network responses from 80% to less than 1%. In response, Nvidia urged users to activate system error correction (ECC) as one of the security measures.

GPUHammer was the first recorded implementation of a RowHammer attack aimed specifically at video cards (GPU). Traditionally, RowHammer is associated with dynamic memory vulnerabilities DRAM (), in which multiple access to certain lines of memory leads to electrical interference and accidental changes in neighboring bits. Such attacks have long been known in the context of CPUs, where they could be used in conjunction with vulnerabilities such as Specter and Meltdown. However, GPUHammer has shown that GPUs are also at risk despite the presence of technologies such as Target Row Refresh (TRR) designed to prevent similar bit shifts. The main problem is that GPUs are often not equipped with security mechanisms at a level similar to the CPU, which makes them more vulnerable to low-level attacks.

𝓲

Фото: Freepik

In addition to affecting neural networks, the attack is especially dangerous for cloud environments in which several users share the resources of one GPU. An attacker in the same infrastructure can reduce the accuracy of the output of other users' models or damage cached parameters without having direct access to them. Such a scenario threatens not only commercial systems, but also critical applications, including systems for autonomous management, fraud detection and medical diagnostics, where even minor distortions can lead to serious consequences. In this case, bit flips can be unnoticed, since it does not cause system failures or obvious execution errors.

The researchers also reported the emergence of another variety of RowHammer attack called CrowHammer, which allows you to attack the FALCON digital signature scheme selected by the US National Institute of Standards and Technology (NIST) as a post-quantum cryptography standard. The authors of the study showed that with the help of targeted bit failures, it is possible to restore the private signature key with access to several hundred million signatures, which once again emphasizes the growing danger of hardware attacks that can undermine not only the integrity of data, but also cryptographic security mechanisms.

For organizations operating in regulated industries such as health care, finance and transport, the problem becomes not just technical, but legal. Failures in AI systems caused by bit attacks can lead to violations of standards such as ISO/IEC 27001 or the European Artificial Intelligence Act (E.U. AI Act), especially in aspects of data security, transparency and integrity. This requires a review of approaches to protecting the GPU infrastructure and the inclusion of memory integrity checks in standard audit and cybersecurity protocols.

SpecHammer technology was first described by scientists from the University of Michigan and the Georgia Institute of Technology in 2022. SpecHammer combines RowHammer and Spectre to launch speculative attacks. The essence of this approach is to launch a Spectre v1 attack using Rowhammer bit flips to inject malicious values ​ ​ into the victim's devices.^[1]

Notes