Back to overview

CVE-2025-23351

CRITICAL
9.0
CVSS 3.1
Description
NVIDIA ConnectX and BlueField contain a vulnerability in the command interface where a local user with virtual function (VF) access may cause a write out of bounds by crafted input. A successful exploit of this vulnerability may lead to arbitrary code execution on the device.

Metadata

CVE ID
CVE-2025-23351
State
PUBLISHED
Assigner
nvidia
Reserved
2025-01-14 01:07 UTC
Published
2026-07-01 14:39 UTC
Last updated
2026-07-01 16:03 UTC
Primary CWE
CWE-787
CWE-787 Out-of-bounds Write
Vendor / Product
NVIDIA / BlueField GA
Sources
cve.org  ·  NVD

Severity & Metrics

9.0 CRITICAL CVSS 3.1
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (10)
VendorProductPlatformVersions
NVIDIA BlueField GA BlueField-2(46),BlueField-3(46) All versions prior to 46.3008
NVIDIA BlueField LTS22 BlueField-2(35) All versions prior to 35.8002
NVIDIA BlueField LTS23 BlueField-2(39),BlueField-3(39) All versions prior to 39.8002
NVIDIA BlueField LTS24 BlueField-2(43),BlueField-3(43) All versions prior to 43.8002
NVIDIA ConnectX GA ConnectX-6 DE,ConnectX-6 DX,ConnectX-6 LX,ConnectX-7,ConnectX-8 All versions prior to 46.3008
NVIDIA ConnectX LTS22 ConnectX-5*,ConnectX-6*,ConnectX-6 DE,ConnectX-6 DX,ConnectX-6 LX,ConnectX-7 All versions prior to 35.8002
NVIDIA ConnectX LTS23 ConnectX-6*,ConnectX-6 DE,ConnectX-6 DX,ConnectX-6 LX,ConnectX-7 All versions prior to 39.8002
NVIDIA ConnectX LTS24 ConnectX-6*,ConnectX-6 DE,ConnectX-6 DX,ConnectX-6 LX,ConnectX-7 All versions prior to 43.8002
NVIDIA ConnectX-4 N/A(28) All versions prior to 28.4702
NVIDIA ConnectX-4 LX N/A(32) All versions prior to 32.1908
Weakness (CWE)
CWESourceDescription
CWE-787 cna CWE-787 Out-of-bounds Write
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.0 CRITICAL 3.1 cna CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Back to overview