PT-2026-54608 · Nvidia · Connect+1
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2025-23350
CVSS v3.1
9.0
Critical
| Vector | AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
NVIDIA ConnectX (affected versions not specified)
NVIDIA BlueField (affected versions not specified)
Description
A flaw exists in the command interface of the device reachable from a Virtual Function (VF) context. A local user with VF privileges, such as a tenant VM or container assigned a VF via Single Root I/O Virtualization (SR-IOV), can trigger an out-of-bounds write by providing crafted command input. This occurs due to improper bounds checking, which may allow the attacker to corrupt device memory and achieve arbitrary code execution on the NIC/DPU. This could lead to device compromise, cross-tenant impact, and disruption of network or storage offload operations.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bluefield
Connect