By rssfeeds-admin The flaws affect NVIDIA Nsight Systems and Nsight Visual Studio Edition, development tools widely used by researchers, engineers, and data center administrators.
Vulnerability Overview
The security bulletin, published January 20, 2026, details four distinct command injection and DLL loading vulnerabilities across NVIDIA’s profiling and debugging platforms.
All vulnerabilities carry CVSS base scores between 6.7 and 7.3, classified as high-severity threats with widespread potential impact across Windows and Linux deployments.
The most critical flaw exists in NVIDIA Nsight Systems, where attackers can inject OS commands through malicious input strings supplied to the gfx_hotspot recipe’s process_nsys_rep_cli.py script.
A successful exploit grants attackers code execution capabilities with escalated privileges, enabling data theft, system manipulation, and denial-of-service attacks.
Command Injection via Installation Path (CVE-2025-33230): The Nsight Systems Linux .run installer contains a command injection vulnerability in its path handling mechanism.
Attackers can craft malicious installation paths to execute arbitrary commands during the installation process, potentially compromising the entire system before the software installation completes.
Uncontrolled DLL Search Path (CVE-2025-33231): Nsight Systems on Windows implements insecure dynamic library loading that exploits uncontrolled search paths.
Attackers can place malicious DLL files in predictable locations, causing the application to load and execute attacker-controlled code with application privileges.
Nsight Monitor Privilege Escalation (CVE-2025-33229): The Nsight Visual Studio Edition Monitor component allows local attackers with limited privileges to execute arbitrary code at the application’s privilege level, leading to privilege escalation and full system compromise in enterprise environments.
NVIDIA CUDA Toolkit versions up to and including 13.1 are affected across both Windows and Linux platforms. Users should immediately update to CUDA Toolkit 13.1 through the official NVIDIA CUDA Toolkit Downloads page.
Earlier software releases remain vulnerable; administrators must verify all systems are running the latest patched version.
| CVE ID | Product | Vulnerability Type | CVSS Score | Severity | CWE |
|---|---|---|---|---|---|
| CVE-2025-33228 | NVIDIA Nsight Systems | OS Command Injection | 7.3 | High | CWE-78 |
| CVE-2025-33229 | NVIDIA Nsight Visual Studio | Arbitrary Code Execution | 7.3 | High | CWE-427 |
| CVE-2025-33230 | NVIDIA Nsight Systems (Linux) | Command Injection | 7.3 | High | CWE-78 |
| CVE-2025-33231 | NVIDIA Nsight Systems (Windows) | DLL Search Path | 6.7 | Medium | CWE-427 |
These vulnerabilities pose a significant risk to research institutions, AI development teams, and data center operators relying on NVIDIA profiling tools.
Attackers with local access can escalate privileges and establish persistent access to systems containing sensitive training data, proprietary models, or classified research.
NVIDIA credits security researcher pwni for responsibly disclosing these vulnerabilities. Organizations should prioritize patching across development and production environments, especially systems handling sensitive workloads.
For comprehensive vulnerability tracking and security bulletins, visit the NVIDIA Product Security page at nvidia.com/security to subscribe to notifications and access additional product security information.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post NVIDIA CUDA Toolkit Vulnerability Enables Command Injection and Arbitrary Code Execution appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.