CVE-2025-23274 is a medium-severity vulnerability identified in the NVIDIA CUDA Toolkit, specifically within the nvJPEG component responsible for JPEG image encoding. The vulnerability is classified as a CWE-125: Out-of-bounds Read. It occurs when a maliciously crafted input image with specific dimensions triggers integer overflows during array index calculations. This overflow leads to reading memory outside the intended buffer boundaries. The consequence of this vulnerability is primarily a denial of service (DoS) condition, as the out-of-bounds read can cause application crashes or instability. The vulnerability affects all versions of the CUDA Toolkit prior to version 13.0. The CVSS v3.1 base score is 4.5, indicating a medium severity level. The attack vector is local (AV:L), requiring low privileges (PR:L) and high attack complexity (AC:H), with no user interaction (UI:N) needed. The scope remains unchanged (S:U), and the impact on confidentiality, integrity, and availability is low to medium (C:L/I:L/A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from improper input validation and integer overflow during image dimension processing, which is a common risk in image parsing libraries. Given the widespread use of NVIDIA CUDA Toolkit in high-performance computing, AI, and image processing applications, this vulnerability could disrupt services relying on GPU-accelerated JPEG encoding if exploited locally by an attacker with access to the system.

For European organizations, the impact of CVE-2025-23274 could be significant in sectors relying heavily on GPU-accelerated computing, such as research institutions, automotive industries, financial services, and media companies. The vulnerability could lead to denial of service conditions in critical systems performing image processing tasks, potentially causing downtime or degraded performance. Although the attack requires local access and low privileges, insider threats or compromised internal systems could exploit this vulnerability to disrupt operations. The confidentiality and integrity impact is low, but availability impact could affect service continuity. Organizations using older versions of the CUDA Toolkit in production environments may face operational risks until they upgrade. Additionally, the lack of known exploits in the wild currently reduces immediate risk, but proactive mitigation is essential to prevent future exploitation.

European organizations should prioritize upgrading to NVIDIA CUDA Toolkit version 13.0 or later, where this vulnerability is addressed. Until an official patch is available, organizations should implement strict access controls to limit local access to systems running vulnerable CUDA Toolkit versions. Monitoring and logging of local user activities related to image processing applications can help detect suspicious behavior. Employing application whitelisting and sandboxing techniques for image processing workloads can reduce the risk of exploitation. Additionally, validating and sanitizing all input images before processing can help mitigate malformed input risks. Organizations should also keep abreast of NVIDIA security advisories for any forthcoming patches or mitigations and test updates in controlled environments before deployment.