Cyber Posture

CVE-2025-33206

High

Published: 14 January 2026

Published
14 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33206 is a high-severity OS Command Injection (CWE-78) vulnerability in Nvidia Nsight Graphics. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating this specific command injection vulnerability through patching NVIDIA Nsight Graphics.

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of information inputs, comprehensively preventing command injection exploits like CWE-78 in this CVE.

AC-6 Least Privilege partial match
prevent

AC-6 enforces least privilege, limiting the scope of privilege escalation and damage from successful command injection by the local unprivileged attacker.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Command injection (CWE-78) directly enables arbitrary Unix shell command execution on Linux; requires user interaction with malicious file/input to trigger.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service.

Deeper analysisAI

CVE-2025-33206 is a command injection vulnerability (CWE-78) affecting NVIDIA Nsight Graphics for Linux. Published on 2026-01-14T19:16:41.690, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The flaw allows an attacker to inject commands through the affected component.

A local attacker requires no privileges (PR:N) but needs low-complexity attack methods and user interaction (UI:R), such as tricking a user into opening a malicious file or input. Successful exploitation could lead to arbitrary code execution, privilege escalation, data tampering, and denial of service on the targeted system.

Mitigation details are available in official advisories, including NVIDIA's security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5738, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33206, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33206. Security practitioners should consult these for patch information and workarounds.

Details

CWE(s)
CWE-78

Affected Products

nvidia
nsight graphics
≤ 2025.5

CVEs Like This One

CVE-2025-33230Same product: Linux Linux Kernel
CVE-2025-23316Same product: Linux Linux Kernel
CVE-2026-5485Same product: Linux Linux Kernel
CVE-2025-33228Same vendor: Nvidia
CVE-2025-23243Same product: Linux Linux Kernel
CVE-2025-9588Same product: Linux Linux Kernel
CVE-2025-23242Same product: Linux Linux Kernel
CVE-2026-31447Same product: Linux Linux Kernel
CVE-2026-40527Shared CWE-78
CVE-2024-0136Same product: Linux Linux Kernel

References