Pith Number

pith:SIHDZTSG

pith:2026:SIHDZTSGRB6A72WCNGAD5WDOXG

not attested not anchored not stored refs pending

Bit-Flip Vulnerability of Shared KV-Cache Blocks in LLM Serving Systems

Satoshi Matsuura, Yuji Yamamoto

Shared KV-cache blocks in LLM serving systems can be corrupted by bit flips, causing silent but persistent changes in responses for all requests using the same prefix.

arxiv:2604.17249 v2 · 2026-04-19 · cs.CR · cs.AR · cs.LG

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?

Add to your LaTeX paper

\usepackage{pith}
\pithnumber{SIHDZTSGRB6A72WCNGAD5WDOXG}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp

2 Internet Archive

3 Author claim open · sign in to claim

4 Citations open

5 Replications open

✓ Portable graph bundle live · download bundle · merged state

The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

Shared KV-cache blocks in LLM serving systems present an analogous but previously unexamined target. Using software fault injection under ideal bit targeting, we characterize worst-case severity and identify three properties: (1) Silent divergence - 13 of 16 BF16 bit positions produce coherent but altered outputs, indistinguishable from legitimate responses without a clean baseline. (2) Selective propagation - only requests sharing the targeted prefix are affected. (3) Persistent accumulation - no temporal decay occurs, so cumulative damage grows linearly with subsequent requests.

C2weakest assumption

Software fault injection under ideal bit targeting accurately represents the effects and feasibility of real Rowhammer attacks on GPU DRAM in production LLM serving systems with shared prefix caches.

C3one line summary

Shared KV-cache blocks in LLM serving systems are vulnerable to bit flips that cause silent, selective, and persistent output changes, distinct from weight attacks, and detectable by checksums.

Receipt and verification

First computed	2026-06-09T01:05:17.337921Z
Builder	pith-number-builder-2026-05-17-v1
Signature	Pith Ed25519 (`pith-v1-2026-05`) · public key
Schema	pith-number/v1.0

Canonical hash

920e3cce46887c0feac269803ed86eb99927cc5b699fb6d2e3bf13d4169f015e

Aliases

arxiv: 2604.17249 · arxiv_version: 2604.17249v2 · doi: 10.48550/arxiv.2604.17249 · pith_short_12: SIHDZTSGRB6A · pith_short_16: SIHDZTSGRB6A72WC · pith_short_8: SIHDZTSG

Agent API

Resolver JSON Graph JSON Events JSON Schema Signing key

Verify this Pith Number yourself

curl -sH 'Accept: application/ld+json' https://pith.science/pith/SIHDZTSGRB6A72WCNGAD5WDOXG \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 920e3cce46887c0feac269803ed86eb99927cc5b699fb6d2e3bf13d4169f015e

Canonical record JSON

{
  "metadata": {
    "abstract_canon_sha256": "e3fe9f41d34acb32243f1d07b7e8f72f3b01b961facd3bec3c11c2f96140c8fd",
    "cross_cats_sorted": [
      "cs.AR",
      "cs.LG"
    ],
    "license": "http://arxiv.org/licenses/nonexclusive-distrib/1.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-04-19T04:31:12Z",
    "title_canon_sha256": "dabdce088bb81c16d1ab5f379084a62025e1f8e20b663a6faf7d0b0c8f1da46e"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2604.17249",
    "kind": "arxiv",
    "version": 2
  }
}