Security researchers have uncovered two critical vulnerabilities in NVIDIA's Linux GPU drivers that could allow unprivileged local attackers to gain complete control over affected systems, posing a significant threat to millions of Linux users.
The bugs, tracked as CVE-2025-23280 and CVE-2025-23300, were discovered in NVIDIA's Open GPU Kernel Modules by security researcher of Quarkslab. The vulnerabilities affect both the main nvidia.ko and nvidia-uvm.ko kernel modules, which are accessible to unprivileged users through device files.
The first vulnerability triggers a kernel null-pointer dereference when mapping deviceless memory allocations. However, the real danger lies in the second bug—a sophisticated use-after-free condition that occurs when kernel stack memory gets freed prematurely during error handling. This creates a dangerous scenario where invalid pointers remain in the system's global tree structure.
Bastide successfully demonstrated a proof-of-concept exploit that achieves full kernel read and write capabilities, ultimately escalating privileges to root access. The exploit leverages vmalloc memory allocation behavior (virtual memory allocation used for kernel stacks) and creatively abuses the Video4Linux2 framework to manipulate memory layout and reclaim freed kernel stack space.
The attack chain is particularly concerning because it works around modern Linux security features including KASLR (Kernel Address Space Layout Randomization) and random_kstack_offset, which typically make such exploits significantly harder to execute.
NVIDIA has released patches in their October 2025 GPU Display Driver update. However, the fix appears incomplete—while the company introduced a new "UAF-safe API" called threadStateAlloc, it's currently only implemented in the vulnerable dupMemory function, potentially leaving other code paths exposed.
Users should immediately update to NVIDIA driver version 570.86.15 or later. System administrators running Ubuntu Noble or similar distributions with the nvidia-driver-570-server-open package should prioritize this update, especially on multi-user systems where local privilege escalation poses the greatest risk.