CVE-2025-23275 – This vulnerability in NVIDIA CUDA Toolkit's nvJ... (How to Fix)

Q: What is the severity of CVE-2025-23275?

CVE-2025-23275 has a CVSS score of 4.2 (MEDIUM). This vulnerability in NVIDIA CUDA Toolkit's nvJPEG component allows a local authenticated user to trigger a GPU out-of-bounds write by providing specific image dimensions, potentially leading to denial of service or information disclosure. It affects all platforms where NVIDIA CUDA Toolkit is installed, requiring local access and authentication for exploitation.

📋 TL;DR

This vulnerability in NVIDIA CUDA Toolkit's nvJPEG component allows a local authenticated user to trigger a GPU out-of-bounds write by providing specific image dimensions, potentially leading to denial of service or information disclosure. It affects all platforms where NVIDIA CUDA Toolkit is installed, requiring local access and authentication for exploitation.

💻 Affected Systems

Products:

NVIDIA CUDA Toolkit

Versions: All versions prior to the patched release; check NVIDIA advisory for specific version details.

Operating Systems: All platforms supported by NVIDIA CUDA Toolkit (e.g., Windows, Linux, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the nvJPEG component and affects systems where CUDA Toolkit is installed, regardless of default settings.

📦 What is this software?

Cuda Toolkit by Nvidia

View all CVEs affecting Cuda Toolkit →

Nvjpeg by Nvidia

View all CVEs affecting Nvjpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Exploitation could cause GPU instability, system crashes, or leakage of sensitive data from GPU memory, impacting system availability and confidentiality.

🟠

Likely Case

Most probable impact is denial of service through GPU errors or application crashes, disrupting CUDA-dependent workloads.

🟢

If Mitigated

With proper access controls limiting local user privileges, the risk is reduced to minimal, as exploitation requires authenticated access.

🌐 Internet-Facing: LOW, as the vulnerability requires local authenticated access and is not directly exploitable over the network.

🏢 Internal Only: MEDIUM, as internal users with local access and authentication could exploit it, but it depends on user privileges and system configurations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local authenticated access and knowledge of specific image dimensions to trigger the out-of-bounds write, making it moderately complex.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to NVIDIA advisory for specific patched versions (e.g., CUDA Toolkit version X.Y or later).

Vendor Advisory: https://nvidia.custhelp.com/app/answers/detail/a_id/5661

Restart Required: No

Instructions:

1. Visit the NVIDIA advisory URL. 2. Download and install the latest CUDA Toolkit version as specified. 3. Verify installation and test nvJPEG functionality.

🔧 Temporary Workarounds

Restrict Local User Access

all

Limit access to systems with CUDA Toolkit to trusted users only, reducing the attack surface for local authenticated exploits.

🧯 If You Can't Patch

Implement strict access controls to minimize the number of local authenticated users who could exploit the vulnerability.
Monitor systems for unusual GPU activity or crashes that might indicate exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check the installed CUDA Toolkit version; if it is prior to the patched version listed in the NVIDIA advisory, the system is vulnerable.

Check Version:

On Linux/macOS: nvcc --version or cat /usr/local/cuda/version.txt; On Windows: Check NVIDIA Control Panel or run nvcc --version in Command Prompt.

Verify Fix Applied:

After updating, confirm the CUDA Toolkit version matches or exceeds the patched version specified in the advisory.

📡 Detection & Monitoring

Log Indicators:

Look for GPU error logs, application crashes related to nvJPEG, or unusual out-of-bounds write events in system logs.

Network Indicators:

No direct network indicators, as this is a local vulnerability.

SIEM Query:

Example: search for 'nvJPEG' AND ('crash' OR 'error' OR 'out-of-bounds') in application or system logs.

📊 Metadata

CVE ID: CVE-2025-23275

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-787

EPSS Score: 0.03% exploit probability (7.1th percentile)

Published: September 24, 2025

Last Updated: October 6, 2025

🔗 References

https://nvd.nist.gov/vuln/detail/CVE-2025-23275 Third Party Advisory
https://nvidia.custhelp.com/app/answers/detail/a_id/5661 Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2025-23275 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23275, you might also want to check these: