Cyber Posture

CVE-2025-33230

High

Published: 20 January 2026

Published
20 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33230 is a high-severity OS Command Injection (CWE-78) vulnerability in Nvidia Cuda Toolkit. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications
addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation
addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

OS command injection (CWE-78) in Linux installer directly enables Unix shell command execution (T1059.004) and local privilege escalation (T1068) via malicious path input.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. A successful exploit of this vulnerability might lead to escalation…

more

of privileges, code execution, data tampering, denial of service, and information disclosure.

Deeper analysisAI

CVE-2025-33230 affects the .run installer in NVIDIA Nsight Systems for Linux. The vulnerability enables OS command injection when an attacker supplies a malicious string to the installation path. Published on 2026-01-20 with a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), it is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

A local attacker with low privileges can exploit this vulnerability by tricking a user into specifying a malicious installation path during setup, which requires user interaction but has low complexity. Successful exploitation could result in escalation of privileges, arbitrary code execution, data tampering, denial of service, or information disclosure.

Mitigation details are available in official advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5755, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33230, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33230.

Details

CWE(s)
CWE-78

Affected Products

nvidia
cuda toolkit
≤ 13.1.0

CVEs Like This One

CVE-2025-33206Same product: Linux Linux Kernel
CVE-2025-33228Same product: Nvidia Cuda Toolkit
CVE-2025-23316Same product: Linux Linux Kernel
CVE-2026-5485Same product: Linux Linux Kernel
CVE-2025-23242Same product: Linux Linux Kernel
CVE-2026-31743Same product: Linux Linux Kernel
CVE-2026-23099Same product: Linux Linux Kernel
CVE-2024-58055Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2026-23221Same product: Linux Linux Kernel

References