NVIDIA releases security update for DGX Spark AI computing platform, patches at least one critical flaw

NVIDIA has released a security update for its DGX Spark GB10 AI computing platform to patch multiple vulnerabilities. 

Vulnerabilities summary:

• CVE-2025-33187 (CVSS score 9.3) - a flaw in SROOT where an attacker with privileged access could gain access to SoC protected areas, potentially leading to code execution, information disclosure, data tampering, denial of service, or privilege escalation.
• CVE-2025-33188 (CVSS score 8.0) - a flaw in hardware resources allowing tampering with hardware controls, potentially resulting in information disclosure, data tampering, or denial of service.
• CVE-2025-33189 (CVSS score 7.8) - out-of-bound write vulnerability in SROOT firmware that could lead to code execution, data tampering, denial of service, information disclosure, or privilege escalation.
• CVE-2025-33190 (CVSS score 6.7) - out-of-bound write vulnerability in SROOT firmware enabling potential code execution, data tampering, denial of service, or privilege escalation.
• CVE-2025-33191 (CVSS score 5.7) - a flaw in OSROOT firmware involving invalid memory reads that could result in denial of service.
• CVE-2025-33192 (CVSS score 5.7) - arbitrary memory read vulnerability in SROOT firmware potentially leading to code execution, denial of service, or information disclosure.
• CVE-2025-33193 (CVSS score 5.7) - integrity validation flaw in SROOT firmware that could enable code execution, denial of service, or information disclosure.
• CVE-2025-33194 (CVSS score 5.7) - improper input processing vulnerability in SROOT firmware that may result in information disclosure or denial of service.
• CVE-2025-33195 (CVSS score 4.4) - unexpected memory buffer operations in SROOT firmware, potentially causing data tampering, denial of service, or privilege escalation.
• CVE-2025-33196 (CVSS score 4.4) - resource reuse vulnerability in SROOT firmware that could lead to information disclosure.
• CVE-2025-33197 (CVSS score 4.3) - NULL pointer dereference vulnerability in SROOT firmware potentially resulting in code execution or denial of service.
• CVE-2025-33198 (CVSS score 3.3) - resource reuse vulnerability in SROOT firmware that may cause information disclosure.
• CVE-2025-33199 (CVSS score 3.2) - incorrect control flow behavior vulnerability in SROOT firmware potentially leading to data tampering.
• CVE-2025-33200 (CVSS score 2.3) - resource reuse vulnerability in SROOT firmware that could result in information disclosure.

All versions of NVIDIA DGX Spark running NVIDIA DGX OS prior to OTA0 are affected. NVIDIA has released the updated version OTA0 to address all fourteen security flaws. The company recommends that users download and install the latest version of NVIDIA DGX OS from the NVIDIA DGX site.