Skip to main content

NVIDIA Display Driver CVE-2025-33221

| EUVDEUVD-2025-209936 MEDIUM
Improper Input Validation (CWE-20)
2026-05-26 nvidia GHSA-mc8c-mh26-q8q7
6.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
SUSE
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Jun 11, 2026 - 03:07 NVD
4.4 (MEDIUM) 6.0 (MEDIUM)
Analysis Generated
Jun 08, 2026 - 12:36 vuln.today

DescriptionNVD

NVIDIA Display Driver for Windows and Linux contains a vulnerability in the kernel driver, where a user could cause an incorrect permission assignment for a critical resource. A successful exploit of this vulnerability might lead to data tampering and denial of service.

AnalysisAI

Incorrect permission assignment in the NVIDIA Display Driver kernel module on Windows and Linux allows a highly privileged local user to corrupt critical resource permissions, leading to denial of service and potentially data tampering. Affected product lines span GeForce (limited to Maxwell, Volta, and Pascal architectures on some branches), RTX/Quadro/NVS, Tesla, and Guest (vGPU) drivers across multiple version branches. No public exploit exists and no active exploitation has been identified; SSVC assessment rates exploitation as none and impact as partial, consistent with the moderate CVSS score of 4.4.

Technical ContextAI

The vulnerability resides in the NVIDIA kernel-mode display driver (nvlddmkm.sys on Windows; nvidia.ko on Linux), which manages low-level GPU resource allocation and memory permission enforcement. CWE-20 (Improper Input Validation) is the reported root cause class, meaning the driver fails to sufficiently validate inputs before using them to configure permissions on a critical kernel resource - consistent with improper IOCTL or device-node request handling that can result in CWE-732 (Incorrect Permission Assignment). CPE data confirms affected products as cpe:2.3:a:nvidia:geforce:*, cpe:2.3:a:nvidia:rtx,_quadro,_nvs:*, cpe:2.3:a:nvidia:tesla:*, and cpe:2.3:a:nvidia:guest_driver:*, covering both bare-metal and virtualized (vGPU) deployment contexts across Windows and Linux host and guest environments. The GeForce impact is additionally restricted by architecture: only Maxwell, Volta, and Pascal GPU generations are confirmed affected on specific driver branches.

RemediationAI

The primary fix is to upgrade to the patched driver versions published by NVIDIA. For Windows: GeForce, RTX/Quadro/NVS, and Tesla users should upgrade to 596.36 or later; RTX/Quadro/NVS and Tesla users on the 535.x branch should upgrade to 535.309.01. For Linux: upgrade to 595.71.05, 582.53, 580.159.03, or 539.72 depending on your installed branch. vGPU guest driver users should apply the corresponding fixes: 535.288.01 or 539.64 for vGPU 16.x, 582.16 or 580.126.09 for vGPU 19.x, and 595.97 or 595.58.03 for vGPU 20.x. Full patched version details are available at https://nvidia.custhelp.com/app/answers/detail/a_id/5821. If immediate driver upgrade is not possible, a compensating control is to restrict local administrative access to systems running exposed driver versions - since PR:H is required, tightening privilege assignment (e.g., removing unnecessary local admin accounts, enforcing least-privilege policies) reduces the effective attack surface. Note that this control does not eliminate the vulnerability and is not a substitute for patching.

More in Nvidia

View all
CVE-2016-1741 CRITICAL POC
9.8 Mar 24

The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary c

CVE-2013-0109 HIGH POC
7.2 Apr 08

The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not

CVE-2019-5684 CRITICAL POC
10.0 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2026-24207 CRITICAL POC
9.8 May 20

Authentication bypass in NVIDIA Triton Inference Server allows unauthenticated remote attackers to reach protected funct

CVE-2019-5685 CRITICAL POC
9.8 Aug 06

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially craft

CVE-2025-23359 HIGH POC
8.3 Feb 12

NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default co

CVE-2016-8812 HIGH POC
8.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce Experience R340 before GFE 2.11.4.125 and R375 before G

CVE-2016-1861 HIGH POC
7.8 Jun 19

The NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privi

CVE-2024-0132 HIGH POC
8.3 Sep 26

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with de

CVE-2016-1846 HIGH POC
7.8 May 20

The nvCommandQueue::GetHandleIndex method in the NVIDIA Graphics Drivers subsystem in Apple OS X before 10.11.5 allows a

CVE-2015-7865 HIGH POC
7.7 Nov 24

nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before

CVE-2016-8811 HIGH POC
7.8 Nov 08

For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 3

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

CVE-2025-33221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy