Cyber Resilience

CVE-2025-33220

High

Published: 28 January 2026

Published
28 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33220 is a high-severity Use After Free (CWE-416) vulnerability in Custhelp (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-33220 is a use-after-free vulnerability (CWE-416) in the Virtual GPU Manager component of NVIDIA vGPU software. A malicious guest can trigger heap memory access after the memory has been freed, potentially leading to arbitrary code execution, privilege escalation, data tampering, denial of service, or information disclosure. The vulnerability received a CVSS v3.1 base score of 7.8 (High), reflecting local attack vector, low attack complexity, low privileges required, no user interaction, and high impacts on confidentiality, integrity, and availability.

The attack requires a malicious guest with local access and low privileges (AV:L/PR:L) on a virtualized environment using NVIDIA vGPU. Exploitation involves the guest inducing the use-after-free condition in the Virtual GPU Manager on the host, allowing potential remote code execution or escalation from guest to host privileges without user interaction.

Mitigation details are available in the official advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5747, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33220, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33220. Security practitioners should consult these for patch information and apply updates to affected vGPU software versions.

EU & UK References

Vulnerability details

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause heap memory access after the memory is freed. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data…

more

tampering, denial of service, or information disclosure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

Use-after-free in vGPU manager directly enables VM escape (T1611) from guest to host and resulting privilege escalation (T1068) with arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-47331Shared CWE-416
CVE-2026-23111Shared CWE-416
CVE-2026-9970Shared CWE-416
CVE-2026-27909Shared CWE-416
CVE-2026-9932Shared CWE-416
CVE-2026-31530Shared CWE-416
CVE-2025-21856Shared CWE-416
CVE-2025-21727Shared CWE-416
CVE-2024-55549Shared CWE-416
CVE-2026-34859Shared CWE-416

Affected Assets

Custhelp
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-33220 by requiring timely identification, reporting, and patching of the use-after-free flaw in NVIDIA vGPU software.

prevent

Implements memory safeguards like non-executable heap and ASLR to block unauthorized code execution from the guest-triggered heap use-after-free in Virtual GPU Manager.

detect

Enables scanning to detect the presence of CVE-2025-33220 in vGPU software, facilitating prioritization for remediation in virtualized environments.

References