A new Rowhammer variant targets Nvidia GPU memory access patterns to flip bits in DRAM, giving attackers complete control of the host machine. Unlike previous Rowhammer attacks that focused on CPU memory access, this one exploits the high-bandwidth, repetitive memory patterns that GPU workloads naturally produce.
The attack surface is specifically shared infrastructure: cloud GPU instances, multi-tenant AI training environments, and any setup where multiple users share physical hardware with Nvidia GPUs. If you are running GPU workloads on shared cloud instances, this is not a theoretical concern. The researchers demonstrated full machine compromise.
What makes this particularly relevant to AI practitioners is the timing. GPU sharing is becoming more common as organisations try to reduce the cost of inference and training. Fractional GPU services, multi-tenant inference endpoints, and shared training clusters are all growing categories. Each one is a potential target for this attack vector.
The immediate action is straightforward: review your cloud provider’s response, check whether your Nvidia driver versions are affected, and assess whether your GPU workloads run on shared physical hardware. If you are running sensitive inference (healthcare, finance, security) on shared GPU instances, consider whether dedicated hardware is worth the cost premium until patches are validated.
This is a reminder that hardware-level vulnerabilities do not respect software isolation boundaries. The AI infrastructure stack has inherited all the security problems of traditional computing, plus new ones created by the specific memory access patterns of GPU workloads.