DGX Spark GB10 OSROOT Firmware CVE-2025-33191: DoS via Invalid Memory Read
CVE-2025-33191 Published on November 25, 2025

NVIDIA DGX Spark GB10 contains a vulnerability in OSROOT firmware, where an attacker could cause an invalid memory read. A successful exploit of this vulnerability might lead to denial of service.

NVD

Vulnerability Analysis

CVE-2025-33191 can be exploited with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a small impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.


Affected Versions

NVIDIA DGX Spark Version All versions prior to OTA0 is affected by CVE-2025-33191

Exploit Probability

EPSS
0.03%
Percentile
6.76%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.