Hackers can use this flaw to obtain leftover AI data from your GPU — what you need to know

A hacker typing quickly on a keyboard
(Image credit: Shutterstock)

There are some major benefits to running AI workloads locally, but beware—a newly discovered vulnerability can be exploited to obtain leftover data from vulnerable Apple, AMD, Qualcomm and Imagination Technologies GPUs.

As reported by BleepingComputer, this new security flaw (tracked as CVE-2023-4969) has been dubbed LeftoverLocals after it was discovered by security researchers Tyler Sorensen and Heidy Khlaaf at Trail of Bits.

Essentially, this flaw allows for data recovery from impacted GPUs running large language models (LLMs) and machine learning processes locally. While a hacker would need physical access to a vulnerable GPU on a system running AI workloads to exploit this flaw, this new attack method is still concerning.

Whether you run AI models locally yourself or are just concerned about the dangers posed by AI, here’s everything you need to know about LeftoverLocals, including whether or not there’s already a fix for this flaw for your devices.

Extracting leftover AI data from vulnerable GPUs

AMD Radeon RX 7900 XTX on a pastel background

(Image credit: AMD)

According to a blog post from Trail of Bits, this security flaw arises from the fact that some GPU frameworks don’t completely isolate their memory. As such, one kernel running on a vulnerable machine could read the values stored in local memory that were written by another kernel.

Trail of Bits’ security researchers also explain that an attacker just needs to run a GPU compute application such as OpenCL, Vulkan or Metal to read data left in a GPU’s local memory by another user. This is done by “writing a GPU kernel that dumps uninitialized local memory,” according to the researchers.

This recovered data can reveal all sorts of sensitive information from a victim’s computations while running AI models locally including model inputs, outputs, weights and intermediate computations. 

The security researchers at Trail of Bits took things a step further by creating a proof of concept (available on GitHub) which demonstrates how the LeftoverLocals vulnerability can be exploited to recover 5.5MB of data per GPU invocation, though the exact amount of data recovered depends on the GPU framework. For instance, on an AMD Radeon RX 7900 XT GPU running the open-source llama.cpp LLM, an attacker could recover as much as 181MB of leftover AI data per query. This is more than enough to reconstruct responses from an LLM with high accuracy which would let an attacker know exactly what you were discussing with the AI in question.

Your devices may already be patched

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

As Trail of Bits reached out to Apple, AMD, Qualcomm and Imagination Technologies back in September, many companies have already released patches to address this flaw or are currently in the process of doing so.

It’s also worth noting that while the MacBook M2 and iPhone 12 Pro are vulnerable, Apple’s iPhone 15 line as well as the MacBook M3 and other M3-powered laptops and computers are unaffected.

According to a security bulletin from AMD, some of its GPU models are still vulnerable but its engineers are working on a fix. Likewise, Qualcomm has released a patch in its firmware v2.0.7 that addresses LeftoverLocals in some chips but not others. Meanwhile, while Imagination Technologies released a fix back in December of last year with DDK v23.3, Google warned this month that some of its GPUs are still vulnerable to this flaw. Fortunately, Intel, Nvidia and ARM GPUs aren’t impacted by LeftoverLocals at all.

For GPUs that are still vulnerable though, Trail of Bits suggests that the companies who make them implement an automatic local memory clearing mechanism between kernel calls as this isolates any sensitive data written by a single process. However, this might impact performance. Still though, given the severity of the LeftoverLocals flaw, this trade-off might be worth it.

We’ll likely learn more about LeftoverLocals as GPU manufacturers work to nip this flaw in the bud once and for all.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.