Yes, Rowhammer is a hardware issue. However I reported this as the white paper is new and seems to suggest new attacks. It also explains that "There is no software mitigation that can completely erase this problem" but at the same time there is more info in the section Mitigations. As a side note: One thing which distros could do is to disable JavaScript and WebAssembly in browsers by default and display a warning/explanation on first run why those have been disabled and convenient buttons for the user to enable them (if one wants to). IOW: when nothing (or little) can be done mitigation through raising awareness and educationg the user is always a good first step.