CVE-2025-33191 – This vulnerability in NVIDIA DGX Spark GB10's O... (How to Fix)

Q: What is the severity of CVE-2025-33191?

CVE-2025-33191 has a CVSS score of 5.7 (MEDIUM). This vulnerability in NVIDIA DGX Spark GB10's OSROOT firmware allows attackers to trigger invalid memory reads, potentially causing denial of service. It affects organizations using NVIDIA's DGX Spark GB10 systems. The vulnerability requires local access to exploit.

📋 TL;DR

This vulnerability in NVIDIA DGX Spark GB10's OSROOT firmware allows attackers to trigger invalid memory reads, potentially causing denial of service. It affects organizations using NVIDIA's DGX Spark GB10 systems. The vulnerability requires local access to exploit.

💻 Affected Systems

Products:

NVIDIA DGX Spark GB10

Versions: All versions prior to firmware update

Operating Systems: DGX OS (specific version not specified in CVE)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects DGX Spark GB10 systems with vulnerable OSROOT firmware. Other DGX models are not affected.

📦 What is this software?

Dgx Os by Nvidia

View all CVEs affecting Dgx Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or instability requiring hardware reset, disrupting critical AI/ML workloads running on DGX systems.

🟠

Likely Case

Temporary service interruption or performance degradation until system recovery procedures are completed.

🟢

If Mitigated

Minimal impact with proper access controls preventing unauthorized local access to vulnerable systems.

🌐 Internet-Facing: LOW - Requires local access to exploit, not remotely exploitable over network.

🏢 Internal Only: MEDIUM - Insider threats or compromised internal accounts could exploit this to disrupt critical AI infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access to system. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware update available via NVIDIA security advisory

Vendor Advisory: https://nvidia.custhelp.com/app/answers/detail/a_id/5720

Restart Required: Yes

Instructions:

1. Review NVIDIA security advisory ESA-2025-001. 2. Download latest firmware from NVIDIA support portal. 3. Apply firmware update following NVIDIA documentation. 4. Reboot system to activate new firmware.

🔧 Temporary Workarounds

Restrict local access

all

Limit physical and logical access to DGX systems to authorized personnel only

Implement strict authentication

all

Enforce multi-factor authentication and least privilege access for all DGX system accounts

🧯 If You Can't Patch

Isolate DGX systems on separate network segments with strict access controls
Implement continuous monitoring for system crashes or abnormal behavior patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version against NVIDIA security advisory ESA-2025-001

Check Version:

nvidia-smi --query-gpu=driver_version --format=csv (for GPU driver) or check firmware via DGX management interface

Verify Fix Applied:

Verify firmware version has been updated to patched version specified in NVIDIA advisory

📡 Detection & Monitoring

Log Indicators:

Unexpected system reboots
Kernel panic logs
Firmware error messages in system logs

Network Indicators:

Sudden drop in AI/ML workload traffic from affected systems

SIEM Query:

source="dgx_system_logs" AND ("panic" OR "reboot" OR "firmware_error")

📊 Metadata

CVE ID: CVE-2025-33191

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

CWE: CWE-20

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: November 25, 2025

Last Updated: December 2, 2025

🔗 References

https://nvd.nist.gov/vuln/detail/CVE-2025-33191 Third Party Advisory
https://nvidia.custhelp.com/app/answers/detail/a_id/5720 Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2025-33191 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-33191, you might also want to check these: