arXiv:2604.17249v2 Announce Type: replace-cross Abstract: Rowhammer on GPU DRAM has enabled adversarial bit flips in model weights; shared KV-cache blocks in LLM serving systems present an analogous but previously unexamined target. In vLLM's Prefix Caching, these blocks exist as a single physical copy without integrity protection. Using software fault injection under ideal bit targeting, we characterize worst-case severity and identify three properties: (1) Silent divergence - 13 of 16 BF16 bit positions produce coherent but altered outputs, indistinguishable from legitimate responses without
The increasing scale and complexity of LLM serving systems, particularly with shared memory architectures like KV-cache, create new attack surfaces that are now being actively explored as hardware vulnerabilities become more accessible.
This research reveals a critical vulnerability in the integrity of LLM serving systems, demonstrating how subtle hardware faults can lead to silent and undetectable alterations in AI model outputs, impacting reliability and security.
The assumption that LLM serving systems are robust against low-level bit-flips is challenged, necessitating a re-evaluation of security and integrity measures for shared memory components in high-performance AI inference.
- · Cybersecurity researchers
- · Hardware security vendors
- · AI infrastructure hardening services
- · LLM serving providers (without robust defenses)
- · Organizations relying on unverified LLM outputs
- · Developers of unhardened AI accelerators
Exploitation of such vulnerabilities could lead to altered or misleading LLM responses in critical applications.
Increased investment in hardware-level integrity checks and secure memory management for AI compute will become a priority.
New certification standards and regulatory requirements might emerge for the security and reliability of AI serving infrastructure.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at arXiv cs.LG