Slide 16 · OWASP Scenario — Shared Infrastructure
Your neighbor on a cloud GPU can read your model's answers.
📄 OWASP LLM Top 10:2025 · LLM03 Sample Scenario #8 (“LeftOvers”)
Scenario · LeftOvers
“An attacker exploits leaked GPU local memory to recover sensitive data from other workloads running on shared infrastructure.”
OWASP cites this scenario by name. It's real: Trail of Bits disclosed LeftoverLocals — GPUs don't always clear their local memory between processes, so a malicious program can read whatever a previous workload left behind.
Why it matters: on a multi-tenant cloud GPU, that “leftover” can be another tenant's LLM output — enough to reconstruct the responses a victim's model produced. The infrastructure you rent is part of your supply chain.
The Hard Anchor
CVE-2023-4969 · CVSS 6.5. Confirmed to affect GPUs from Apple, Qualcomm, AMD, and Imagination. NVIDIA and Arm reported they were not impacted. AMD shipped an opt-in mode that clears memory between processes — but it isn't on by default; an admin must enable it.