University of Toronto computer scientists have discovered a vulnerability in the memory used in graphics processing units (GPUs) that can allow attackers to take complete control of a computer system.

GPUs are the engines of modern artificial intelligence (AI)—the same chips that render video games also train and run large language models like ChatGPT and other tools reshaping business and science. As organizations race to deploy AI, GPUs have become a critical part of modern computing infrastructure, making their security increasingly important.

The proof-of-concept exploit, called GPUBreach, corrupts the GPU's page tables, its internal records of where data is stored. Once those records have been falsified, the attacker can read and modify anything held in its memory. The attack then extends the intrusion outward into the rest of the machine by exploiting additional weaknesses in the GPU drivers, ultimately giving hackers full control of the host computer.

The technique behind the attack, known as Rowhammer, exploits a quirk of modern memory chips: repeatedly accessing certain memory cells causes electrical interference that can flip bits in neighbouring cells, even cells the attacker has no permission to touch. The team's previous paper, GPUHammer, first showed the technique was possible on NVIDIA GPUs.

The GPUBreach attack works even when a piece of safeguarding hardware is switched on. Built into mainstream computers for more than a decade and recommended by NVIDIA, AMD and Microsoft, the Input-Output Memory Management Unit (IOMMU) is the standard defence against this kind of cross-component break-in. GPUBreach circumvents it by exploiting a previously unknown flaw in the trusted GPU software stack—specifically the GPU drivers running inside the computer’s operating system that manage communication with the GPU.

As a result, the attack can achieve administrator-level access to the entire machine, allowing attackers to steal sensitive data, or tamper with files and compromise other applications on the system, including the AI models running on the GPU itself.

“GPUBreach is a reminder that GPUs are no longer just performance accelerators,” said Gururaj Saileshwar, assistant professor in the Department of Computer Science. “They now sit at the heart of AI and cloud computing, which means vulnerabilities in GPUs can affect AI security and the security of the entire computing system.”

The team—PhD student Chris (Shaopeng) Lin, with co-authors Yuqin Yan, Guozhen Ding, Joyce Qu, Joseph Zhu and professors David Lie and Gururaj Saileshwar—recently presented this work at IEEE Symposium on Security & Privacy 2026, the leading academic conference in the field of computer security and privacy.

The paper has been honoured with a Distinguished Paper Award at the conference, one of just 13 chosen from more than 240 accepted papers drawn from over 2,200 submissions.

The paper showcases two further consequences of the attack. First, it demonstrates that an attacker sharing a machine with a victim can steal cryptographic keys, including the kinds designed to resist future quantum computers, while those keys briefly sit in GPU memory.

The team also showed that editing a single instruction inside a widely used NVIDIA library, one that handles the math behind most modern AI systems, can drop the accuracy of major image-recognition models from up to 80 per cent to roughly zero, with negligible effect on response time. The sabotage is all but undetectable.

"GPUBreach affects every GPU user, from a developer running untrusted software on their laptop, to a cloud provider renting GPUs to AI customers," said Saileshwar. "A seemingly harmless application, such as a downloaded game or an AI model pulled from the internet, could become the entry point for an attack."

On the team's test platform—an NVIDIA RTX A6000 workstation graphics card—the entire compromise unfolds in under 20 seconds. The underlying driver flaw was also verified on additional NVIDIA GPUs and driver versions.

The team responsibly disclosed the findings to NVIDIA, Google, Amazon Web Services and Microsoft in November 2025. Google awarded the team a Bug Bounty Award, and NVIDIA has indicated it may update its existing security guidance.

GPUBreach has drawn extensive coverage in outlets including Ars Technica, The Hacker News and Kaspersky, and an extension of the paper will be presented in August at Black Hat USA, the leading industry cybersecurity conference.

This research was supported by the Natural Sciences and Engineering Research Council of Canada, the Communications Security Establishment Canada and the Canada Research Chairs program.