Impact
The vulnerability is a write‑outside‑bounds condition in the command interface of NVIDIA ConnectX and BlueField devices. A local user who has virtual function (VF) access can supply crafted input that causes the device to write beyond the bounds of a buffer. If successfully exploited, the attacker can achieve arbitrary code execution on the device, compromising confidentiality, integrity, or availability of the host system.
Affected Systems
The affected products are NVIDIA's BlueField family – the general‑availability (GA) version and the LTS22, LTS23, LTS24 releases – as well as the ConnectX family – GA and LTS22‑LTS24. Specific firmware or driver versions within those product lines are impacted, but detailed version data is not listed here.
Risk and Exploitability
The CVSS score of 9 indicates a high‑severity flaw. The EPSS score is not reported, making it unclear how frequently the vulnerability is exploited in the wild, and it is not currently listed in the CISA KEV catalog. The likely attack vector is local, requiring that the attacker has VF privileges on the device. Once this condition is met, the out‑of‑bounds write can be leveraged to execute arbitrary instructions and take control of the device, potentially affecting the host OS running on the NIC or host system.
OpenCVE Enrichment