据悉，这组漏洞链由三个漏洞组成，分别为CVE-2025-23320、CVE-2025-23319和CVE-2025-23334。当攻击者发送一个超大请求超出共享内存限制时，CVE- 2025-23320会触发异常，返回的错误信息将暴露后端内部IPC（进程间通信）共享内存区的唯一标识符（key）。攻击者利用上述标识符，可通过CVE-2025- 23319执行越界写入，以及通过CVE-2025-23334实现越界读。 英伟达Triton是一个通用的推理平台，旨在帮助开发者简化AI模型在各种框架上的部署和运行。然而，其通用的设计和复杂的进程间通信机制，却成了安全 隐患。 英伟达目前已经发布补丁。但是，所有25.07版本之前的系统都处于"裸奔状态"，用户需将Triton Inference Server更新到最新版本。 近日，安全研究机构Wiz Research曝光了英伟达Triton推理服务器的一组高危漏洞链，这一发现引发了业界的广泛关注。 该漏洞链可被组合利用，实现远程代码执行（RCE），攻击者能够读取或篡改共享内存中的数据，操纵模型输出，甚至控制整个推理后端的行为。这意味着 云端AI模型面临着模型被盗、数据泄露 ...

Core Viewpoint - The article discusses a critical vulnerability chain in NVIDIA's Triton Inference Server, which could lead to severe consequences such as model theft, data breaches, response manipulation, and system control loss [2][3][5]. Vulnerability Details - The vulnerability chain consists of three interconnected vulnerabilities: 1. CVE-2025-23320 allows attackers to exploit error messages to disclose the unique identifier of the shared memory area [8]. 2. CVE-2025-23319 enables out-of-bounds write operations using the disclosed identifier [10]. 3. CVE-2025-23334 facilitates out-of-bounds read operations, allowing attackers to manipulate server behavior [12][14]. Potential Consequences - The vulnerabilities could lead to: - Model theft, where attackers can steal proprietary AI models [5]. - Data breaches, allowing real-time access to sensitive data [5]. - Response manipulation, resulting in erroneous or biased outputs from AI models [5]. - System control loss, where attackers can pivot to other systems within the organization [6]. Security Implications - The vulnerabilities highlight a significant security risk in Triton's architecture, where a single vulnerability can compromise multiple critical components of an AI platform [7][26]. - The Python backend, while designed for flexibility, becomes a potential security weak point due to its broad usage across different frameworks [18][22]. Remediation Efforts - NVIDIA has released a patch for the vulnerabilities, urging users to update to the latest version of Triton Inference Server (25.07) [4][28]. - The vulnerabilities have not yet been exploited in real-world attacks, remaining confined to laboratory environments [27].