CVE-2025-23245 Overview
CVE-2025-23245 affects NVIDIA vGPU software for Windows and Linux. The vulnerability resides in the Virtual GPU Manager (vGPU plugin), where a guest virtual machine can access global resources outside its intended boundary. Successful exploitation can lead to denial of service against the host or other guests sharing the GPU.
The flaw maps to CWE-732: Incorrect Permission Assignment for Critical Resource. Exploitation requires local access with low-privileged credentials inside the guest, and no user interaction is needed.
Critical Impact
A low-privileged guest user can trigger denial of service on shared virtual GPU infrastructure, disrupting workloads across tenants on the same host.
Affected Products
- NVIDIA vGPU software for Windows
- NVIDIA vGPU software for Linux
- NVIDIA Virtual GPU Manager (vGPU plugin)
Discovery Timeline
- 2025-05-01 - CVE-2025-23245 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-23245
Vulnerability Analysis
The vulnerability exists in the Virtual GPU Manager (vGPU plugin), which mediates access between guest virtual machines and the physical GPU. NVIDIA vGPU software partitions a physical GPU into multiple virtual GPUs assigned to separate guests. The plugin must enforce strict isolation so each guest only touches resources allocated to it.
In this case, the plugin grants a guest the ability to reach global resources shared across the host. These global resources fall outside the scope of any single guest allocation. Crossing that boundary allows a guest to interfere with host-level GPU state and impact availability for other tenants.
Root Cause
The root cause is incorrect permission assignment on a critical resource, classified as [CWE-732]. The vGPU plugin does not properly restrict guest access to resources that should remain global to the hypervisor. This permission gap lets unprivileged guest code reach state objects the isolation model assumes are unreachable.
Attack Vector
The attack vector is local. An attacker needs code execution inside a guest VM with low privileges. No user interaction on the host or other guests is required.
From the guest, an attacker issues GPU operations that the vGPU plugin should reject or scope to the guest partition. Because the plugin exposes global resources, the operation reaches shared state and can destabilize the GPU service. The impact is limited to availability, with no confidentiality or integrity loss reported by the vendor.
The vulnerability is described in prose only. See the NVIDIA Customer Support Answer for vendor-specific technical details.
Detection Methods for CVE-2025-23245
Indicators of Compromise
- Unexpected GPU hangs, resets, or driver restarts on hypervisor hosts running NVIDIA vGPU Manager.
- vGPU plugin error entries in hypervisor logs correlating with guest activity from a single tenant VM.
- Denial of service symptoms affecting multiple guest VMs sharing the same physical GPU.
Detection Strategies
- Monitor nvidia-smi and hypervisor GPU telemetry for abnormal utilization spikes, fault counts, or engine resets originating from specific guest VMs.
- Correlate guest VM workload patterns with host-side GPU faults to identify a single guest as the source of repeated failures.
- Audit installed NVIDIA vGPU software versions against the fixed versions listed in the NVIDIA advisory.
Monitoring Recommendations
- Centralize hypervisor and GPU driver logs in a SIEM and alert on repeated vGPU plugin faults from the same guest UUID.
- Track GPU availability metrics per tenant and flag deviations that coincide with neighboring guest activity.
- Inventory NVIDIA vGPU Manager versions across the fleet and alert on hosts running pre-patch builds.
How to Mitigate CVE-2025-23245
Immediate Actions Required
- Apply the NVIDIA vGPU software security update referenced in the vendor advisory to all affected hypervisor hosts.
- Inventory all hosts running NVIDIA Virtual GPU Manager and confirm patch status for both Windows and Linux builds.
- Restrict local access inside guest VMs to trusted users until patching is complete, since exploitation requires local guest privileges.
Patch Information
NVIDIA has released a security update addressing CVE-2025-23245. Refer to the NVIDIA Customer Support Answer 5630 for the list of fixed versions across vGPU software branches and for hypervisor-specific upgrade procedures.
Workarounds
- No vendor-supplied workaround is documented. Patching is the only complete remediation.
- Limit which tenants share a physical GPU through vGPU profiles to reduce blast radius of a denial of service.
- Enforce least-privilege access controls inside guest VMs to reduce the population of users able to trigger the flaw locally.
The vendor advisory does not publish configuration snippets for this issue. See the NVIDIA Customer Support Answer for upgrade instructions.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

