Cyber Posture

CVE-2025-33240

High

Published: 18 February 2026

Published
18 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33240 is a high-severity Code Injection (CWE-94) vulnerability in Nvidia Megatron-Bridge. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents code injection by requiring validation and sanitization of malicious inputs to the data shuffling tutorial in NVIDIA Megatron Bridge.

SI-2 Flaw Remediation good match
prevent

Addresses the vulnerability through timely identification, testing, and installation of patches for the code injection flaw as provided in NVIDIA advisories.

AC-6 Least Privilege partial match
prevent

Mitigates privilege escalation and high-impact effects like information disclosure and data tampering by enforcing least privilege on the low-privilege attacker context.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local code injection (CWE-94) directly enables arbitrary code execution and privilege escalation from low-privileged context (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

NVIDIA Megatron Bridge contains a vulnerability in a data shuffling tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Deeper analysisAI

CVE-2025-33240 is a code injection vulnerability (CWE-94) in a data shuffling tutorial within NVIDIA Megatron Bridge. Malicious input to this component can enable code execution, escalation of privileges, information disclosure, and data tampering. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-18.

An attacker requires local access to the affected system, low attack complexity, and low privileges to exploit this issue without user interaction. Successful exploitation grants high-impact outcomes, including arbitrary code execution, privilege escalation from a low-privilege context, sensitive data exposure, and modification of data integrity.

Mitigation guidance is available in official advisories, including NVIDIA's security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5781, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33240, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33240.

Details

CWE(s)
CWE-94

Affected Products

nvidia
megatron-bridge
≤ 0.2.2

CVEs Like This One

CVE-2025-33239Same product: Nvidia Megatron-Bridge
CVE-2025-33236Same vendor: Nvidia
CVE-2025-33251Same vendor: Nvidia
CVE-2025-33179Same vendor: Nvidia
CVE-2025-33250Same vendor: Nvidia
CVE-2026-24157Same vendor: Nvidia
CVE-2026-24159Same vendor: Nvidia
CVE-2025-25943Shared CWE-94
CVE-2026-24154Same vendor: Nvidia
CVE-2025-63421Shared CWE-94

References