Sensitive Information DisclosureHigh

LeftoverLocals: reading LLM responses from leaked GPU memory

January 2024  ·  Apple, AMD, Qualcomm, Imagination GPUs

What happened

Affected GPUs did not clear local memory between kernel invocations, so a malicious GPU kernel of about ten lines could read leftover data from another process (CVE-2023-4969). A proof of concept reconstructed another user's LLM responses from leaked memory.

Root cause

GPU local memory was not zeroed or isolated between compute kernels from different processes.

Fix / outcome

Coordinated disclosure led to fixes from Apple, Qualcomm, and AMD. Coverage across older devices remained incomplete, so treat it as partially patched.

Sources

Trail of Bits

Learn this attack class

This incident is an example of Sensitive Information Disclosure. Read the guide, then try it hands-on in the Academy.

Read the guide →

← Back to the Incident Database