NVIDIA is advising customers to activate System-level Error Correction Codes (ECC) as a defense against a new form of RowHammer attack targeting its GPUs. The company stated that the risk of exploitation varies depending on various factors. The attacks, known as GPUHammer, are the first of their kind against NVIDIA GPUs, causing malicious users to tamper with data by inducing bit flips in GPU memory.
Researchers at the University of Toronto discovered that GPUHammer can significantly degrade the accuracy of AI models, from 80% to less than 1%. This vulnerability is similar to how Spectre and Meltdown affect CPUs, but RowHammer targets DRAM memory physically, while Spectre exploits speculative execution in CPUs.
The implications of GPUHammer extend to AI infrastructure, potentially compromising AI models’ integrity and creating new security risks for cloud platforms. Shared GPU environments like cloud ML platforms could be vulnerable to GPUHammer attacks, affecting adjacent workloads and compromising model accuracy without direct access.
To mitigate the risk posed by GPUHammer, NVIDIA recommends enabling ECC through specific commands. Newer NVIDIA GPUs such as H100 or RTX 5090 are not affected due to their on-die ECC feature. However, enabling ECC can introduce some performance slowdown for machine learning inference workloads.
In a related development, researchers presented CrowHammer, a type of RowHammer attack that enables key recovery attacks against the FALCON post-quantum signature scheme. This discovery highlights the regulatory risks posed by bit-flip attacks, especially in industries with strict compliance rules like healthcare, finance, and autonomous systems.
Organizations deploying GPU-intensive AI models must include GPU memory integrity in their security and audit scopes to ensure compliance with regulatory frameworks. The silent failure of AI due to bit-flip attacks could lead to violations of safety, explainability, and data integrity mandates.
For more exclusive content, follow us on Twitter and LinkedIn.
