This month, updates to Nvidia’s GPU display drivers and related software address eight major exploits. All but one allow code execution and open vectors for privilege escalation, data tampering, denial of service, and information disclosure. Users of affected Nvidia GPU drivers and GPU software are encouraged to update as soon as possible.
Six CVEs were addressed in the main GPU display driver, while the remaining two CVEs (including the only gap that might not allow code to run) were addressed within Nvidia’s vGPU software.
Five of the related vulnerabilities in GPU display drivers were Windows-specific. These were all user-mode layer exploits that could allow a user to cause an out-of-bounds read for purposes such as code execution. One of the exploits was against both Windows and Linux versions of the GPU driver, allowing a privileged attacker to escalate their privileges. From within the application.
There are some similarities between the two Nvidia vGPU software vulnerabilities that were addressed. Still, more severe vGPU exploits that could allow code execution involve vulnerabilities in GPU kernel drivers that allow for “improper input validation through compromise of the guest OS kernel.” It was. A less severe exploit occurred within the virtual GPU manager. This could leverage global system resources outside the scope of the vGPU software, opening up an attack vector.
The entire Nvidia Security Bulletin provides complete links and detailed information about CVEs and related security patches. End users of Nvidia GPUs should know that the latest stable drivers contain security updates that cover these vulnerabilities and should apply those updates as soon as possible.
It’s alarming that all of these vulnerabilities were found within Nvidia’s GPU drivers, even on Linux, but it’s reassuring to see that they’ve all been patched already. If your workload relies on older Nvidia GPU drivers for compatibility reasons, having to update them to address these vulnerabilities may be an issue, but it may Nvidia GPU users will probably need to update anyway.
