Cloud platforms face new threat as GPUHammer targets shared NVIDIA GPUs

Cloud platforms are confronting a new security threat as researchers unveil GPUHammer, a RowHammer attack variant that targets shared NVIDIA GPUs. This exploit allows malicious users to induce bit flips in GPU memory, threatening the integrity of AI models and data.

For the first time, RowHammer-style attacks have been demonstrated against NVIDIA GPUs, such as the A6000 with GDDR6 memory. In multi-tenant cloud environments, attackers can tamper with other users’ data by running specially crafted GPU workloads that trigger memory corruption.

How does GPUHammer threaten shared cloud GPUs?

GPUHammer exploits physical vulnerabilities in DRAM, causing bit flips in memory cells through repeated access patterns. In cloud settings where multiple users share the same GPU, this means one tenant could sabotage another’s AI models or data without direct access to their files.

The risk is heightened when system-level Error Correction Codes (ECC) are disabled, which is sometimes allowed for performance reasons on major platforms like AWS and GCP.

Did you know?
A single GPUHammer-induced bit flip on an NVIDIA A6000 GPU can degrade an AI model’s accuracy from 80% to below 1%, potentially sabotaging critical workloads.

What makes AI models especially vulnerable to GPUHammer?

Researchers found that a single targeted bit flip can degrade an AI model’s accuracy from 80% to less than 1%. This makes GPUHammer a potent weapon for sabotaging deep learning tasks, especially in shared or serverless GPU environments where data from different users can reside close together in memory.

ALSO READ | CISA’s Emergency Alert: Critical Citrix Flaw Lets Attackers Bypass Security in Minutes

Can ECC and other mitigations protect cloud users?

NVIDIA recommends enabling system-level ECC to defend against GPUHammer, as it can detect and correct single-bit errors. However, enabling ECC can reduce GPU performance by up to 10% and decrease available memory, making it a trade-off for cloud providers and users.

Newer NVIDIA GPUs, such as the H100 and RTX 5090, feature on-die ECC that is always active, but many widely used data center models remain exposed if ECC is disabled. Attackers can still exploit these vulnerabilities in environments without ECC enforcement.

What are the broader implications for cloud AI security?

GPUHammer’s emergence highlights the growing attack surface in multi-tenant cloud platforms. As more organizations rely on shared GPUs for AI, the risk of targeted model sabotage and data corruption rises, demanding urgent attention to hardware-level defenses and best practices.

Cloud providers now face mounting pressure to enable ECC by default and review their security postures. The incident heralds a new era of hardware attacks that could fundamentally alter the global security of cloud AI workloads.