Patches released by NVIDIA last week for the GeForce Experience software address two arbitrary code execution bugs assessed with a severity rating of high.
The GeForce Experience software is a companion application that is being installed alongside NVIDIA’s GeForce drivers. Functioning as a GPU management tool, it allows users to record and share videos and screenshots, update drivers, and ensure game settings are always optimized.
Tracked as CVE‑2020‑5977 and with a CVSS score of 8.2, the first of the newly addressed issues was identified in the NVIDIA Web Helper NodeJS Web Server and exists because an uncontrolled search path is used to load a node module.
An attacker able to exploit the flaw could execute code in the context of the vulnerable software, could cause denial of service, escalate privileges, or access restricted information, NVIDIA notes in an advisory.
The second vulnerability has the identifier CVE‑2020‑5990 and a CVSS score of 7.3. According to NVIDIA, the flaw was identified in the ShadowPlay component and may lead to code execution, local privilege escalation, denial of service, or information disclosure.
A third vulnerability patched with the new release is CVE‑2020‑5978 (CVSS score of 3.2), identified in the GeForce Experience services. The bug exists because “a folder is created by nvcontainer.exe under normal user login with LOCAL_SYSTEM privileges,” NVIDIA explains.
The flaw could be exploited to achieve denial of service or to escalate privileges.
All three vulnerabilities, NVIDIA explains, impact GeForce Experience versions prior to 3.20.5.70. To keep their systems protected, users are advised to update to version 3.20.5.70 or newer of the software.
Related: NVIDIA Patches Code Execution Flaws in GPU Drivers
Related: NVIDIA Patches DoS Flaws in GPU Driver and vGPU Software
Related: NVIDIA Patches Command Execution Vulnerability in GeForce Experience

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
