Source: nvidia-cuda-toolkit Version: 12.4.131~12.4.1-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for nvidia-cuda-toolkit. CVE-2025-23248[0]: | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in | the nvdisasm binary where a user may cause an out-of-bounds read by | passing a malformed ELF file to nvdisasm. A successful exploit of | this vulnerability may lead to a partial denial of service. CVE-2025-23255[1]: | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in | the cuobjdump binary where a user may cause an out-of-bounds read by | passing a malformed ELF file to cuobjdump. A successful exploit of | this vulnerability may lead to a partial denial of service. CVE-2025-23271[2]: | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in | the nvdisasm binary where a user may cause an out-of-bounds read by | passing a malformed ELF file to nvdisasm. A successful exploit of | this vulnerability may lead to a partial denial of service. CVE-2025-23273[3]: | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in | nvJPEG where a local authenticated user may cause a divide by zero | error by submitting a specially crafted JPEG file. A successful | exploit of this vulnerability may lead to denial of service. CVE-2025-23274[4]: | NVIDIA nvJPEG contains a vulnerability in jpeg encoding where a user | may cause an out-of-bounds read by providing a maliciously crafted | input image with dimensions that cause integer overflows in array | index calculations. A successful exploit of this vulnerability may | lead to denial of service. CVE-2025-23275[5]: | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in | nvJPEG where a local authenticated user may cause a GPU out-of- | bounds write by providing certain image dimensions. A successful | exploit of this vulnerability may lead to denial of service and | information disclosure. CVE-2025-23308[6]: | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in | nvdisasm where an attacker may cause a heap-based buffer overflow by | getting the user to run nvdisasm on a malicious ELF file. A | successful exploit of this vulnerability may lead to arbitrary code | execution at the privilege level of the user running nvdisasm. CVE-2025-23338[7]: | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in | nvdisasm where a user may cause an out-of-bounds write by running | nvdisasm on a malicious ELF file. A successful exploit of this | vulnerability may lead to denial of service. CVE-2025-23339[8]: | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in | cuobjdump where an attacker may cause a stack-based buffer overflow | by getting the user to run cuobjdump on a malicious ELF file. A | successful exploit of this vulnerability may lead to arbitrary code | execution at the privilege level of the user running cuobjdump. CVE-2025-23340[9]: | NVIDIA CUDA Toolkit for all platforms contains a vulnerability in | the nvdisasm binary where a user may cause an out-of-bounds read by | passing a malformed ELF file to nvdisasm. A successful exploit of | this vulnerability may lead to a partial denial of service. CVE-2025-23346[10]: | NVIDIA CUDA Toolkit contains a vulnerability in cuobjdump, where an | unprivileged user can cause a NULL pointer dereference. A | successful exploit of this vulnerability may lead to a limited | denial of service. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-23248 https://www.cve.org/CVERecord?id=CVE-2025-23248 [1] https://security-tracker.debian.org/tracker/CVE-2025-23255 https://www.cve.org/CVERecord?id=CVE-2025-23255 [2] https://security-tracker.debian.org/tracker/CVE-2025-23271 https://www.cve.org/CVERecord?id=CVE-2025-23271 [3] https://security-tracker.debian.org/tracker/CVE-2025-23273 https://www.cve.org/CVERecord?id=CVE-2025-23273 [4] https://security-tracker.debian.org/tracker/CVE-2025-23274 https://www.cve.org/CVERecord?id=CVE-2025-23274 [5] https://security-tracker.debian.org/tracker/CVE-2025-23275 https://www.cve.org/CVERecord?id=CVE-2025-23275 [6] https://security-tracker.debian.org/tracker/CVE-2025-23308 https://www.cve.org/CVERecord?id=CVE-2025-23308 [7] https://security-tracker.debian.org/tracker/CVE-2025-23338 https://www.cve.org/CVERecord?id=CVE-2025-23338 [8] https://security-tracker.debian.org/tracker/CVE-2025-23339 https://www.cve.org/CVERecord?id=CVE-2025-23339 [9] https://security-tracker.debian.org/tracker/CVE-2025-23340 https://www.cve.org/CVERecord?id=CVE-2025-23340 [10] https://security-tracker.debian.org/tracker/CVE-2025-23346 https://www.cve.org/CVERecord?id=CVE-2025-23346 [11] https://nvidia.custhelp.com/app/answers/detail/a_id/5661 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
