Patches released by NVIDIA last week for the GeForce Experience software address two arbitrary code execution bugs assessed with a severity rating of high.
The GeForce Experience software is a companion application that is being installed alongside NVIDIA’s GeForce drivers. Functioning as a GPU management tool, it allows users to record and share videos and screenshots, update drivers, and ensure game settings are always optimized.
Tracked as CVE‑2020‑5977 and with a CVSS score of 8.2, the first of the newly addressed issues was identified in the NVIDIA Web Helper NodeJS Web Server and exists because an uncontrolled search path is used to load a node module.
An attacker able to exploit the flaw could execute code in the context of the vulnerable software, could cause denial of service, escalate privileges, or access restricted information, NVIDIA notes in an advisory.
The second vulnerability has the identifier CVE‑2020‑5990 and a CVSS score of 7.3. According to NVIDIA, the flaw was identified in the ShadowPlay component and may lead to code execution, local privilege escalation, denial of service, or information disclosure.
A third vulnerability patched with the new release is CVE‑2020‑5978 (CVSS score of 3.2), identified in the GeForce Experience services. The bug exists because “a folder is created by nvcontainer.exe under normal user login with LOCAL_SYSTEM privileges,” NVIDIA explains.
The flaw could be exploited to achieve denial of service or to escalate privileges.
All three vulnerabilities, NVIDIA explains, impact GeForce Experience versions prior to 3.20.5.70. To keep their systems protected, users are advised to update to version 3.20.5.70 or newer of the software.
Related: NVIDIA Patches Code Execution Flaws in GPU Drivers
Related: NVIDIA Patches DoS Flaws in GPU Driver and vGPU Software
Related: NVIDIA Patches Command Execution Vulnerability in GeForce Experience