cbcvebase.
CVE-2025-23319
published 2025-08-06

CVE-2025-23319: NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by…

PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.53%
71.6th percentile
NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by sending a request. A successful exploit of this vulnerability might lead to remote code execution, denial of service, data tampering, or information disclosure.

Affected

2 ranges
VendorProductVersion rangeFixed in
nvidiatriton_inference_server< 25.0725.07
nvidiatriton_inference_server

Detection & IOCsextracted from sources · hover to see the quote

path/dev/shm/triton_python_backend_shm_region_4f50c226-b3d0-46e8-ac59-d4690b28b859
  • Monitor for unauthorized registration of shared memory keys matching the pattern 'triton_python_backend_shm_region_*' via the Triton API — this indicates an attacker attempting to register the server's internal IPC shared memory region.
  • Alert on unauthenticated inference requests that reference internal shared memory regions (keys prefixed with 'triton_python_backend_shm_region_') — the API does not validate whether the provided shared memory key is user-owned or internal.
  • Detect exploitation attempts by monitoring for manipulation of IPC message queues in the Python backend's shared memory, particularly involving structures named 'MemoryShm' or 'SendMessageBase'.
  • Flag verbose error messages from the Triton Python backend that leak internal shared memory region names — these are the initial information disclosure step in the exploit chain.
  • ·The exploit chain requires the attacker to first obtain the internal shared memory region name via an information leak (verbose error message); without this leaked name, the subsequent write primitive is not directly accessible.
  • ·The Python backend is a dependency for several other backends, meaning models not explicitly configured to use Python may still be affected through indirect use of the vulnerable component.
  • ·Full technical exploitation details (beyond the read/write primitive via shared memory registration) have been withheld by Wiz Research and are not publicly available.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.