Overview
- University of Toronto researchers detailed GPUBreach on Tuesday, describing a GPU memory attack that escalates from unprivileged CUDA code to a root shell without disabling IOMMU.
- GPUBreach flips bits in GDDR6 to corrupt GPU page tables, which grants arbitrary GPU memory read and write to the attacker’s kernel code.
- After seizing GPU memory control, the exploit targets newly identified memory-safety bugs in the NVIDIA kernel driver to gain an arbitrary kernel write and then spawn a root shell.
- The team demonstrated the attack on an NVIDIA RTX A6000 used for AI training, warned that multi-tenant cloud GPUs face higher risk, and noted that attackers only need permission to run code on the GPU.
- Full technical details and a reproduction package will be released April 13 at IEEE S&P in Oakland, following a November 11, 2025 disclosure to NVIDIA, Google, AWS, and Microsoft, with Google paying a $600 bounty; related works GDDRHammer and GeForge use similar page-table corruption, though GeForge needs IOMMU disabled.