NVIDIA Issues Security Updates for BlueField, DOCA, Mellanox, ConnectX, Cumulus Linux, and NVOS

NVIDIA has released a critical set of software updates addressing multiple vulnerabilities across its BlueField DPUs, DOCA software framework, Mellanox DPDK, ConnectX network adapters, Cumulus Linux, and NVOS products. Several of these flaws carry high to critical severity ratings, with impacts ranging from privilege escalation to denial of service and information disclosure.

The most severe vulnerability, CVE-2025-23256, affects the NVIDIA BlueField management interface. According to NVIDIA, “an attacker with local access could cause incorrect authorization to modify the configuration. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.”

Patches are now available for BlueField-2 and BlueField-3, with updated versions 45.1020, 35.4554 (LTS22), 39.5050 (LTS23), and 43.3608 (LTS24).

Two privilege escalation vulnerabilities (CVE-2025-23257 & CVE-2025-23258) affect NVIDIA DOCA’s Debian packages (collectx-clxapidev and collectx-dpeserver). Both carry a CVSS score of 7.3 and could allow an actor with low privileges to escalate their access.

NVIDIA confirmed: “A successful exploit of this vulnerability might lead to escalation of privileges.”

Patches are available in DOCA 2.9.3, 2.5.4, and 3.0.0, depending on the affected package version.

Another flaw (CVE-2025-23259) impacts the Mellanox DPDK Poll Mode Driver (PMD). NVIDIA warns that “an attacker on a VM in the system might be able to cause information disclosure and denial of service on the network interface.”

The issue has been patched in DPDK versions 22.11_2504.1.0 GA, along with multiple LTS streams (22.11.10 LTS, 24.11.3 LTS, etc.).

A vulnerability (CVE-2025-23262) in NVIDIA ConnectX adapters mirrors the BlueField flaw, allowing local attackers to bypass authorization and tamper with configuration data. The advisory notes that this could lead to privilege escalation, denial of service, or data manipulation.

Updates are available for ConnectX-5, 6, 7, and 8 adapters, with patched builds released across GA and LTS branches.

Finally, a less severe but still notable issue (CVE-2025-23261) affects NVIDIA Cumulus Linux and NVOS products. NVIDIA disclosed: “Hashed user passwords are not properly suppressed in log files, potentially disclosing information to unauthorized users.”

Fixes are available in Cumulus Linux 5.13, NVOS 25.02.42xx (NVSwitch), and 25.02.4xxx (IBSwitch).

Related Posts:

• Nvidia Releases Security Update for ConnectX and BlueField DPUs Amid High-Severity Flaws
• Nvidia’s internal systems were attacked by hackers
• Hacker group threatens to expose Nvidia driver and firmware data
• NVIDIA Extends Windows 10 Driver Support to October 2026, Offering Gamers a One-Year Reprieve