CVE-2025-23263
BaseFortify
Publication date: 2025-07-17
Last updated on: 2025-07-17
Assigner: NVIDIA Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mellanox | ofed | * |
| nvidia | doca-host | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-279 | While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2025-23263 vulnerability affects NVIDIA DOCA-Host and Mellanox OFED products within the VGT+ feature. It allows an attacker with access to a virtual machine (VM) to potentially escalate privileges and cause denial of service (DoS) on the VLAN. This vulnerability occurs when VGT+ is enabled and the eSwitch is operating in Legacy mode, which is the default. The issue is due to improper authorization (CWE-279) and impacts confidentiality, integrity, and availability. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker on a VM to escalate their privileges beyond what is normally permitted and cause denial of service on the VLAN. This means the attacker could gain unauthorized access to resources and disrupt network communications, potentially affecting system availability and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect if the vulnerability is present, check if the VGT+ feature is enabled on your system. You can verify this by checking the existence and content of the file `/sys/class/net/eth5/device/sriov/0/trunk`. If this file is missing or empty, VGT+ is not enabled. Additionally, to check if the device is operating in Legacy mode (which is the vulnerable mode), use the command: `sudo find /sys/class/net -name mode -exec cat {} \;`. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include reviewing your network configurations to ensure that the VGT+ feature is disabled unless it is explicitly required. If VGT+ is enabled and the device is operating in Legacy mode, consider disabling VGT+ or upgrading to the fixed versions of NVIDIA DOCA-Host or Mellanox OFED. Users should download and install the latest updates from the DOCA Framework page or contact their account manager for earlier evaluation versions. [1]