The architecture of cloud computing resembles the structure of a modern glass office building. Companies rent spaces in it, trusting that robust door locks, monitoring systems and professional security guarantee complete privacy. In the IT world, these safeguards are encryption, virtualisation and logical process isolation. However, recent reports from the world of hardware security suggest that the foundations of this office building hide a structural flaw.
Rowhammer-type attacks, transferred from classical operational memories to graphics processing units (GPUs), show that walls between cloud users can become transparent under the influence of appropriately directed electrical oscillations.
Graphics chips equipped with GDDR6 memory have become the foundation of the artificial intelligence revolution. It is their enormous bandwidth that allows language models to be trained or gigantic data sets to be analysed in real time. For years, there was a belief that GPUs were a safe enclave, isolated from the vulnerabilities plaguing traditional CPUs.
Research conducted by scientists at UNC Chapel Hill and Georgia Tech brutally verifies this optimism. It turns out that the physical proximity of memory cells in NVIDIA’s state-of-the-art chips, such as the Ampere and Ada Lovelace architectures, becomes their greatest weakness.
The Rowhammer phenomenon is not a bug in the code that can be fixed with a simple software update. It is a defect resulting from the very physics of silicon and the drive for extreme miniaturisation. When a system repeatedly and at high frequency references a particular row of data in DRAM, an electromagnetic field is created that begins to affect neighbouring cells. This ‘leakage’ of energy can lead to a spontaneous change in the state of a bit – zeros become ones and ones become zeros. On a micro scale, this is a minor anomaly, but on a system scale, it is a tool to break down the door to the core of the operating system. By precisely manipulating these changes, an attacker can achieve privilege escalation, gaining full administrative access to the host.
For the business world, which is moving its most valuable resources en masse to the public cloud, this information is of strategic importance. The resource-sharing model, known as multi-tenancy, is based on the assumption that one client’s processes are completely separate from another client’s operations, even if they share the same physical GPU. The discovery of the GDDRHammer and GeForge vulnerabilities casts a shadow over this assumption. A theoretical, but evidence-based, possibility arises in which an entity with bad intentions rents a low-cost GPU instance on the same platform as a large financial institution or pharmaceutical company, and then uses the physical properties of the hardware to spy on its ‘neighbour’.
The risks go beyond simple file theft. In the age of the AI arms race, a company’s most valuable asset is model weights and training data. By taking control of GPU memory, this information can be extracted, de facto stealing the competitive advantage developed over years. Moreover, cloud providers operate under a shared responsibility model. While they guarantee the security of the logical and network layers, they are rarely able to fully protect against fundamental design flaws in the processors themselves, especially when hardware manufacturers such as NVIDIA suggest using solutions with limited effectiveness.
Proposed methods of mitigating these attacks, such as the inclusion of error correction codes or IOMMU memory management units, are only a partial barrier. A key concern for IT decision-makers becomes the economic calculus. The inclusion of full protection mechanisms is almost always associated with a perceived decrease in computing performance and available memory. In business realities, where model training time translates directly into costs of thousands of dollars, the choice between absolute security and operational efficiency becomes a difficult management dilemma.
A key task for technical directors and security officers is becoming a new classification of resources. Not every process requires the highest degree of isolation, but projects critical to the future of the business may require a revision of the public cloud approach. Bare metal solutions, where the customer is given exclusive access to a physical server, or building dedicated private clouds, are no longer the domain of the paranoid and are becoming a rational response to the physical limitations of modern silicon.
The 2026 audit of cloud service providers should include not only ISO certifications, but also specific questions about physical isolation architecture at the GPU level. A mature business needs to understand that as technology approaches physical barriers, traditional software security methods are becoming insufficient. Rowhammer on the GPU signals that it is time for a new era of hardware hygiene, where awareness of the limitations of matter is as important as the quality of the code being written.
