EUVD-2025-208972

| CVE-2025-33244 CRITICAL
2026-03-24 nvidia
9.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 24, 2026 - 20:31 vuln.today
EUVD ID Assigned
Mar 24, 2026 - 20:31 euvd
EUVD-2025-208972
CVE Published
Mar 24, 2026 - 20:25 nvd
CRITICAL 9.0

Tags

Information Disclosure RCE Deserialization Denial Of Service Nvidia Pytorch AI / ML

Description

NVIDIA APEX for Linux contains a vulnerability where an unauthorized attacker could cause a deserialization of untrusted data. This vulnerability affects environments that use PyTorch versions earlier than 2.6. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, data tampering, and information disclosure.

Analysis

NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.

Technical Context

NVIDIA APEX (A PyTorch Extension) is a tool for mixed precision and distributed training in PyTorch environments, commonly used to accelerate deep learning workloads. The vulnerability stems from CWE-502 (Deserialization of Untrusted Data), where the application fails to properly validate serialized data before processing it. This affects the cpe:2.3:a:nvidia:apex product across all versions when used with PyTorch versions prior to 2.6. Deserialization vulnerabilities occur when applications deserialize objects from untrusted sources without sufficient validation, allowing attackers to inject malicious serialized objects that execute arbitrary code during the deserialization process.

Affected Products

NVIDIA APEX for Linux is affected across all versions when deployed in environments using PyTorch versions earlier than 2.6, as confirmed by CPE identifier cpe:2.3:a:nvidia:apex:*:*:*:*:*:*:*:*. The vulnerability specifically impacts Linux-based deployments of APEX in conjunction with legacy PyTorch versions. Organizations should consult the official NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5782 for detailed version information and affected configuration details.

Remediation

The primary remediation is to upgrade PyTorch to version 2.6 or later, which mitigates the deserialization vulnerability in NVIDIA APEX environments, as detailed in the NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5782. Organizations unable to immediately upgrade should implement network segmentation to restrict adjacent network access to APEX deployments, enforce strict authentication and authorization controls to limit low-privilege account access, and monitor for suspicious deserialization activities or unexpected process execution from APEX components. Consider implementing application-level input validation and restricting the sources from which serialized data is accepted until the PyTorch upgrade can be completed.

Priority Score

45
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +45
POC: 0

Share

EUVD-2025-208972 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy