A team of researchers from the University of Toronto has uncovered a critical hardware vulnerability in graphics processing units (GPUs) that could compromise the integrity of artificial intelligence models. The discovery centers on a modified version of the well-known Rowhammer attack, which traditionally targeted central processing unit (CPU) memory but has now been proven effective against GPUs using GDDR6 memory—a type of high-speed memory commonly found in professional graphics cards like NVIDIA’s RTX A6000. The attack, dubbed GPUHammer, exploits the physical properties of GDDR6 memory by rapidly accessing adjacent memory rows, causing unintended bit flips due to electrical interference. These bit flips can alter the internal weights of AI models, leading to drastic drops in accuracy. In experiments, a single bit flip in a model’s weight—specifically in the exponent portion—caused performance to plummet from 80% accuracy to just 0.1%, a phenomenon described by lead researcher Gururaj Saileshwar as “catastrophic brain damage” for AI systems. Such vulnerabilities pose serious risks for AI applications in sensitive domains like medical diagnostics, financial fraud detection, and cybersecurity, where model reliability is crucial. The attack is particularly dangerous in cloud computing environments, where multiple users share the same GPU. An attacker could exploit this shared access to corrupt another user’s AI workloads without direct access to their data. Unlike CPUs, GPUs present unique challenges for such attacks due to faster memory refresh rates, higher latency, and the fact that GDDR memory chips are soldered directly onto the GPU board—making direct inspection impossible. The researchers, led by Saileshwar and including Ph.D. student Chris (Shaopeng) Lin and undergraduate Joyce Qu, had to rely solely on observing the outcome of their attacks: bit flips. They overcame these hurdles by leveraging the GPU’s parallel processing power to optimize their hammering patterns, eventually achieving success after numerous failed attempts. The team’s findings were accepted for presentation at the USENIX Security Symposium 2025. They responsibly disclosed the vulnerability to NVIDIA earlier this year, prompting the company to issue a security notice in July. NVIDIA recommends enabling Error Correction Code (ECC) memory as a defense, but the researchers warn that this protection comes at a cost—slowing down machine learning tasks by up to 10%. They also caution that future attacks involving multiple bit flips could potentially bypass ECC entirely. The discovery highlights a growing concern: as AI workloads become increasingly dependent on GPUs, hardware-level security must be taken seriously. Saileshwar emphasizes that this is just the beginning of what could be a broader wave of vulnerabilities in GPU architecture. He stresses the urgency of proactive research to identify and mitigate such threats before they are exploited in real-world attacks.