my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Researchers Broke Cloud GPU Isolation With a Memory Trick Nobody Can Patch

John Z Black Apr 4, 2026 Vulnerabilities & Patching #nvidia #gpu #rowhammer #cloud-security #hardware-vulnerability #ai-infrastructure

Three researchers just went from shared GPU tenant to root on the host machine. The attack exploits hardware flaws in Nvidia GPU memory. There’s no software patch. And Nvidia, AWS, Azure, and Google Cloud have said absolutely nothing.

The attacks are called GDDRHammer, GeForge, and GPUBreach. They all force bit flips in GDDR memory on Nvidia GPUs, then use those flips to bypass page table isolation and escalate privileges. Share a cloud GPU with a malicious user? They can own the entire host.

Important detail: GDDRHammer and GeForge need IOMMU disabled (which is the default in most BIOS settings). GPUBreach works even with IOMMU on by exploiting memory-safety bugs in Nvidia’s driver. That makes GPUBreach the real-world threat.

The demos ran on Ampere architecture GPUs, including the RTX A6000. That’s the card sitting in AWS P-series, Azure NC-series, and GCP A2 instances. The newer Ada generation (RTX 6000) wasn’t affected because it uses different GDDR that the researchers didn’t reverse-engineer. Cold comfort if you’re on Ampere hardware. Which most cloud GPU instances are.

The whole cloud GPU market exists because of AI. Companies rent shared GPU time to train models and run inference. The entire business model depends on tenant isolation actually working. These attacks say it doesn’t.

Rowhammer is a hardware problem. The bit flips happen in physical memory cells. No driver update or firmware patch can fix it. Software mitigations might narrow the attack surface, but nobody’s shipping any because nobody’s acknowledged the research.

If you run sensitive workloads on shared cloud GPUs, talk to your provider. Ask about GPU memory isolation guarantees. Ask if they’ve evaluated these attacks. For anything involving proprietary data or regulated information, dedicated GPU instances are the safe play until there’s clarity.

Three novel attacks against hardware every major cloud provider uses. A path from tenant to root. No fix. Total silence. That’s not reassuring.

Why your cloud GPU isolation might be an illusion