CVE-2025-33220
Published: 28 January 2026
Summary
CVE-2025-33220 is a high-severity Use After Free (CWE-416) vulnerability in Custhelp (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-33220 is a use-after-free vulnerability (CWE-416) in the Virtual GPU Manager component of NVIDIA vGPU software. A malicious guest can trigger heap memory access after the memory has been freed, potentially leading to arbitrary code execution, privilege escalation, data tampering, denial of service, or information disclosure. The vulnerability received a CVSS v3.1 base score of 7.8 (High), reflecting local attack vector, low attack complexity, low privileges required, no user interaction, and high impacts on confidentiality, integrity, and availability.
The attack requires a malicious guest with local access and low privileges (AV:L/PR:L) on a virtualized environment using NVIDIA vGPU. Exploitation involves the guest inducing the use-after-free condition in the Virtual GPU Manager on the host, allowing potential remote code execution or escalation from guest to host privileges without user interaction.
Mitigation details are available in the official advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5747, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33220, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33220. Security practitioners should consult these for patch information and apply updates to affected vGPU software versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206467
Vulnerability details
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause heap memory access after the memory is freed. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data…
more
tampering, denial of service, or information disclosure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in vGPU manager directly enables VM escape (T1611) from guest to host and resulting privilege escalation (T1068) with arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-33220 by requiring timely identification, reporting, and patching of the use-after-free flaw in NVIDIA vGPU software.
Implements memory safeguards like non-executable heap and ASLR to block unauthorized code execution from the guest-triggered heap use-after-free in Virtual GPU Manager.
Enables scanning to detect the presence of CVE-2025-33220 in vGPU software, facilitating prioritization for remediation in virtualized environments.