CVE-2025-33244 — CRITICAL (CVSS 9.0) AI Security Vulnerability

CISO Take

If your ML teams run distributed training or fine-tuning with NVIDIA APEX on PyTorch < 2.6, you have a CVSS 9.0 deserialization RCE sitting on your GPU cluster — patch PyTorch to 2.6+ immediately. Adjacent-network attack vector means anyone on the same VPC, shared GPU cluster, or corporate LAN can exploit this with low privileges and zero user interaction. The blast radius is your entire training infrastructure: model weights, training data, and GPU credentials.

Severity & Risk

CVSS 3.1

9.0 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Moderate

Recommended Action

Immediate (0-24h): (1) Audit all NVIDIA APEX deployments — inventory environments with PyTorch < 2.6 via 'pip show torch' across all ML nodes and containers. (2) Block unnecessary lateral traffic to/from GPU training nodes at the network layer. Short-term (24-72h): (3) Upgrade PyTorch to 2.6+ in all training environments — this is the primary mitigation per NVIDIA advisory. (4) Update NVIDIA APEX to latest release from GitHub (nvidia/apex). (5) Restrict deserialization of external checkpoint files — validate sources and use cryptographic signing for model checkpoints (torch.save with signatures). Detection: (6) Alert on unusual processes spawned from Python/APEX worker processes, unexpected outbound connections from training nodes, anomalous filesystem writes in model checkpoint directories. Longer-term: (7) Implement network segmentation isolating GPU training clusters from broader corporate network; (8) Enforce image scanning in CI/CD that validates PyTorch version before deploying training jobs.

Classification

Code Execution Supply Chain Data Extraction Framework Training Data AML.T0010.001 - AI Software AML.T0018.002 - Embed Malware AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Security A.8.2 - AI System Components and Suppliers

NIST AI RMF

GOVERN 4.2 - Organizational teams are committed to governance MANAGE 2.2 - Mechanisms to manage AI risks

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Technical Details

NVD Description

NVIDIA APEX for Linux contains a vulnerability where an unauthorized attacker could cause a deserialization of untrusted data. This vulnerability affects environments that use PyTorch versions earlier than 2.6. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, data tampering, and information disclosure.

Exploitation Scenario

An attacker with low-privilege access on the same network segment (e.g., a compromised ML workstation, a co-tenant in a cloud GPU cluster, or a malicious insider) crafts a serialized payload using Python's pickle deserialization primitives — a well-understood technique with public PoC templates. They deliver it to an APEX-enabled training process either by poisoning a shared model checkpoint repository (NFS mount, S3 bucket with permissive policies) or by injecting it directly over the network during distributed training communication (NCCL/GLOO). When the APEX process deserializes the payload on PyTorch < 2.6, arbitrary code executes in the training environment. The attacker establishes persistence, exfiltrates model weights and training data to external storage, and optionally poisons the model to introduce a backdoor — all while the training job appears to continue normally.

Weaknesses (CWE)

CWE-502 Primary

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published

March 24, 2026

Last Modified

March 24, 2026

First Seen

March 24, 2026