NVIDIA has announced the roll-out of updates for its graphics drivers to address multiple vulnerabilities, including four CVEs rated “high severity.”
The most severe of these issues are CVE‑2022‑28181 and CVE‑2022‑28182 (CVSS score of 8.5), which could lead to “code execution, denial of service, escalation of privileges, information disclosure, and data tampering,” NVIDIA says.
Both security holes could be exploited by an “unauthorized attacker on the network” to cause “an out-of-bounds write through a specially crafted shader.”
While CVE‑2022‑28181 impacts both the Windows and Linux versions of NVIDIA’s GPU display drivers, CVE‑2022‑28182 exists in the Windows DirectX11 user mode driver, the company says.
The vulnerabilities were reported by Cisco Talos’ security researchers, who say that CVE‑2022‑28182 in fact describes three memory corruption issues identified in NVIDIA D3D10 Driver version 496.76, 30.0.14.9676.
“An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file. These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments,” the researchers note.
Tracked as CVE‑2022‑28183 (CVSS score of 7.7) and CVE‑2022‑28184 (CVSS score of 7.1), the other two high-severity vulnerabilities resolved with NVIDIA’s May 2022 set of patches impact both Windows and Linux drivers.
Both issues may lead to denial of service and information disclosure, while CVE‑2022‑28184 could also be exploited for data tampering.
The six remaining vulnerabilities that NVIDIA resolved in its graphics drivers this month are rated “medium severity.” Two other medium-severity bugs were resolved in the vGPU software, both leading to denial of service.
Users are advised to head over to NVIDIA’s driver downloads page to install the latest driver updates for their systems.
Related: NVIDIA Ships Patches for High-Severity Security Flaws
Related: NVIDIA, HPE Products Affected by Log4j Vulnerabilities
Related: NVIDIA Ships Patches for High-Severity Security Flaws