Impact
The vulnerability is an out‑of‑bounds write in the command interface of NVIDIA ConnectX and BlueField devices that can be triggered by a local user with virtual function (VF) access. By supplying carefully crafted input, the attacker can cause the target to overwrite memory beyond its intended bounds, enabling arbitrary code execution on the device. This flaw falls under the buffer overflow family (CWE‑787) and permits the attacker to gain full control of the affected subsystem.
Affected Systems
Affected products include NVIDIA BlueField GA, LTS22, LTS23, LTS24 and NVIDIA ConnectX GA, LTS22, LTS23, LTS24, ConnectX‑4, and ConnectX‑4 LX. The flaw requires local user privileges that can manage a virtual function – a capability typically assigned to trusted administrators or management software.
Risk and Exploitability
Based on the description, it is inferred that the likely attack vector is local; an attacker who can configure or send commands to a VF on the device can exploit the write‑out‑of‑bounds vulnerability, potentially leading to full device compromise. The CVSS score of 9.0 marks the issue as critical, though the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. While no public exploit has been disclosed, the severity and the local nature of the required foothold make this a high‑risk threat for environments that enable VF usage.
OpenCVE Enrichment