NVIDIA has patched a critical vulnerability in its App for Windows that could allow local attackers to execute arbitrary code and escalate privileges on affected systems.
Tracked as CVE-2025-23358, the flaw exists in the installer component. It poses a significant security risk to Windows users running the application.
The vulnerability stems from a search path element issue within the NVIDIA App installer, classified under CWE-427.
An attacker with local access and low privileges can exploit this flaw by manipulating the search path to inject malicious code.
Vulnerability Details and Technical Impact
The vulnerability requires user interaction to trigger, but successful exploitation grants complete code execution and allows privilege escalation across the entire system.
CVE-2025-23358 with a CVSS v3.1 base score of 8.2, the vulnerability carries a High severity rating.
The attack vector is purely local, meaning an attacker must have physical or logical access to the target machine.
However, the low attack complexity, combined with the ability to escalate privileges, makes this flaw particularly dangerous in multi-user environments and corporate settings.
NVIDIA App for Windows versions before 11.0.5.260 are vulnerable to this attack. Users running any version before this patch release remain exposed to potential exploitation.
The company recommends that all affected users immediately download and install version 11.0.5.260 or later from the official NVIDIA App website to mitigate the risk.
| CVE ID | Affected Product | Severity | CVSS Score |
|---|---|---|---|
| CVE-2025-23358 | NVIDIA App for Windows (all versions prior to 11.0.5.260) | High | 8.2 |
This vulnerability underscores the importance of keeping third-party software up to date, even for supplementary applications like NVIDIA’s utility software.
Attackers frequently target installer components because they often run with elevated privileges during installation.
To protect your system, download the latest NVIDIA App version from the official NVIDIA App site. The patch directly addresses the search path handling issue and eliminates the code execution vector.
Organizations managing multiple NVIDIA-equipped workstations should prioritize deploying this update across their infrastructure.
Security teams should verify their software inventory to identify systems running older NVIDIA App versions and coordinate rapid patching efforts.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
