{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-33228", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "state": "PUBLISHED", "assignerShortName": "nvidia", "dateReserved": "2025-04-15T18:51:07.602Z", "datePublished": "2026-01-20T17:44:19.777Z", "dateUpdated": "2026-02-26T14:44:43.663Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux"], "product": "CUDA Toolkit", "vendor": "NVIDIA", "versions": [{"status": "affected", "version": "All versions prior to CUDA Toolkit 13.1"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": true, "type": "text/html", "value": "NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure."}], "value": "NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, escalation of privileges, data tampering, denial of service, information disclosure"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-01-20T17:44:19.777Z"}, "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33228"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-33228"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5755"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "NVIDIA PSIRT"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-33228", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-21T04:55:26.287586Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:43.663Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-33228", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-21T04:55:26.287586Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T18:32:19.840Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Code execution, escalation of privileges, data tampering, denial of service, information disclosure"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NVIDIA", "product": "CUDA Toolkit", "versions": [{"status": "affected", "version": "All versions prior to CUDA Toolkit 13.1"}], "platforms": ["Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33228"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-33228"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5755"}], "x_generator": {"engine": "NVIDIA PSIRT"}, "descriptions": [{"lang": "en", "value": "NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure.", "supportingMedia": [{"type": "text/html", "value": "NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure.", "base64": true}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia", "dateUpdated": "2026-01-20T17:44:19.777Z"}}}, "cveMetadata": {"cveId": "CVE-2025-33228", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:43.663Z", "dateReserved": "2025-04-15T18:51:07.602Z", "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "datePublished": "2026-01-20T17:44:19.777Z", "assignerShortName": "nvidia"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:cuda_toolkit:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D53794E-E526-471B-94F5-F9BCC26C1BC1", "versionEndExcluding": "13.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure."}], "id": "CVE-2025-33228", "lastModified": "2026-02-02T16:07:24.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2026-01-20T18:16:02.300", "references": [{"source": "psirt@nvidia.com", "tags": ["US Government Resource", "VDB Entry"], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33228"}, {"source": "psirt@nvidia.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5755"}, {"source": "psirt@nvidia.com", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2025-33228"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "psirt@nvidia.com", "type": "Primary"}]}

{"bugzilla": {"description": "nsight-systems: Nsight Systems: Arbitrary code execution via OS command injection", "id": "2431292", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431292"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure.", "A flaw was found in NVIDIA Nsight Systems. This vulnerability allows a local attacker to achieve arbitrary code execution by manually invoking the process_nsys_rep_cli.py script with a malicious string. This OS command injection can lead to privilege escalation, data tampering, denial of service, and information disclosure."], "name": "CVE-2025-33228", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "cuda-nsight-systems-13-0", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "cuda-nsight-systems-13-1", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "nsight-systems-2025.3.2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "nsight-systems-2025.5.2", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-01-20T17:44:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-33228\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-33228\nhttps://nvidia.custhelp.com/app/answers/detail/a_id/5755"], "statement": "This vulnerability is rated Important as it allows for OS command injection in NVIDIA Nsight Systems. The flaw occurs when the `process_nsys_rep_cli.py` script is manually invoked with a malicious string, potentially leading to code execution and privilege escalation. Red Hat Enterprise Linux systems with affected `nsight-systems` components are impacted if the script is used in this manner.", "threat_severity": "Important"}

{"created": "2026-01-21T11:18:58.810299+00:00", "updated": "2026-01-21T11:18:58.810337+00:00", "vendors": ["nvidia", "nvidia$PRODUCT$cuda_toolkit"]}