Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Artificial Intelligence

Code Execution Flaws Haunt NVIDIA ChatRTX for Windows

Artificial intelligence computing giant NVIDIA patches flaws in ChatRTX for Windows and warns of code execution and data tampering risks.

Artificial intelligence computing giant NVIDIA on Wednesday pushed out urgent patches for a pair of software flaws in its ChatRTX for Windows app alongside a warning that users are at risk of code execution and data tampering attacks.

According to an advisory from NVIDIA, the flaws carry a ‘high-risk’ rating and could be exploited to launch harmful code via cross-site-scripting attacks.

The security defects, flagged as CVE‑2024‑0082 and CVE-2024-0083, affect ChatRTX for Windows 0.2 and prior versions.

The raw details:

  • CVE‑2024‑0082 — NVIDIA ChatRTX for Windows contains a vulnerability in the UI, where an attacker can cause improper privilege management by sending open file requests to the application. A successful exploit of this vulnerability might lead to local escalation of privileges, information disclosure, and data tampering. CVSS severity score 8.2/10.
  • CVE-2024-0083 — NVIDIA ChatRTX for Windows contains a vulnerability in the UI, where an attacker can cause a cross-site scripting error by network by running malicious scripts in users’ browsers. A successful exploit of this vulnerability might lead to code execution, denial of service, and information disclosure. CVSS severity score 6.5/10

The NVIDIA ChatRTX app is used by developers and AI enthusiasts to connect PC LLMs to their own data using a popular technique known as retrieval-augmented generation (RAG).

Related: The Chaos (and Cost) of the Lapsus$ Hacking Carnage

Related: Dymium Snags $7M to Build Data Security Platform with Secure AI Chat 

Related: Microsoft Catches APTs Using ChatGPT for Vuln Research

Related: NVIDIA Patches Code Execution Vulnerabilities in Graphics Driver

Advertisement. Scroll to continue reading.
Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.