This work presents the first systematic demonstration of the practical feasibility and security implications of Rowhammer vulnerabilities in GDDR6 GPU memory. Addressing key challenges—including unknown GPU physical address mapping, high GDDR latency, rapid refresh rates, and proprietary mitigation mechanisms—the authors propose a novel reverse-engineering methodology to reconstruct GDDR6 row-to-physical-address mapping and design a CUDA kernel–driven, GPU-specialized hammering technique enabling cross-bank controllable bit flips. Through optimized memory access patterns, precise timing control, and physical address probing, they successfully induce up to eight bit flips on an NVIDIA A6000 GPU. Critically, they empirically demonstrate that such flips can corrupt machine learning model parameters, degrading inference accuracy by up to 80%. This study fills a critical gap in GPU Rowhammer research and establishes foundational methodologies for GPU memory security assessment and defense.

Rowhammer is a read disturbance vulnerability in modern DRAM that causes bit-flips, compromising security and reliability. While extensively studied on Intel and AMD CPUs with DDR and LPDDR memories, its impact on GPUs using GDDR memories, critical for emerging machine learning applications, remains unexplored. Rowhammer attacks on GPUs face unique challenges: (1) proprietary mapping of physical memory to GDDR banks and rows, (2) high memory latency and faster refresh rates that hinder effective hammering, and (3) proprietary mitigations in GDDR memories, difficult to reverse-engineer without FPGA-based test platforms. We introduce GPUHammer, the first Rowhammer attack on NVIDIA GPUs with GDDR6 DRAM. GPUHammer proposes novel techniques to reverse-engineer GDDR DRAM row mappings, and employs GPU-specific memory access optimizations to amplify hammering intensity and bypass mitigations. Thus, we demonstrate the first successful Rowhammer attack on a discrete GPU, injecting up to 8 bit-flips across 4 DRAM banks on an NVIDIA A6000 with GDDR6 memory. We also show how an attacker can use these to tamper with ML models, causing significant accuracy drops (up to 80%).