Rowhammer

Rowhammer exploits the fact that high-density DRAM cells lose charge faster than they can be refreshed when neighbouring rows are aggressively activated. By hammering a row hundreds of thousands of times per refresh cycle, an attacker can flip specific bits in adjacent rows that they have no right to write — bypassing all software permission checks. Demonstrated against page tables, JavaScript via web browsers, mobile devices and FPGAs, Rowhammer has been weaponized for privilege escalation and sandbox escape. Mitigations include error-correcting memory (ECC), Target Row Refresh (TRR), pseudo-TRR, ECC plus refresh-rate doubling, and operating-system level isolation. Newer DDR5 modules implement more aggressive on-die refresh, though research continues to find variants such as RowPress.