Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

NVIDIA Patches High Risk Vulnerabilities in GPU Display Drivers

NVIDIA has released a security update for the NVIDIA GPU display driver, to address several High severity vulnerabilities impacting GeForce, Quadro, NVS, and Tesla products. 

NVIDIA has released a security update for the NVIDIA GPU display driver, to address several High severity vulnerabilities impacting GeForce, Quadro, NVS, and Tesla products. 

A total of 8 security vulnerabilities were addressed in this round of patches, five of which have a CVSS score of 8.8. Exploitation of these bugs could lead to code execution, denial of service or escalation of privileges on the affected systems, the GPU maker says

Tracked as CVE‑2019‑5665, the first of the flaws was found in the 3D vision component of the GPU display driver. The bug affects the stereo service software, which does not check for hard links when opening a file.

The second issue, CVE‑2019‑5666, affects the kernel mode layer (nvlddmkm.sys) create context command DDI DxgkDdiCreateContext. Incorrect validation of untrusted input or index fails to ensure the index references a valid position within the array. 

CVE‑2019‑5667 is a bug in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSetRootPageTable, while CVE‑2019‑5668 impacts the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSubmitCommandVirtual. In both cases, the application dereferences a pointer that, instead of being valid, is NULL. 

The fifth High severity flaw is CVE‑2019‑5669, residing in the kernel mode layer handler for DxgkDdiEscape. When leveraging a sequential operation to read from or write to a buffer, the software uses an incorrect length value, thus accessing memory outside of the bounds of the buffer.

Another important vulnerability NVIDIA addressed in this round of patches is CVE‑2019‑5670, which also impacts the kernel mode layer handler for DxgkDdiEscape and causes the software to access memory outside of its buffer. This could lead to denial of service, escalation of privileges, code execution or information disclosure.

Another flaw is CVE‑2019‑5671, a denial of service flaw in in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where the software does not release a resource after its effective lifetime has ended. 

Advertisement. Scroll to continue reading.

The last bug is CVE‑2018‑6260, where application data processed on the GPU is accessible through a side channel exposed by the GPU performance counters. Exploitation of this vulnerability requires local user access, but the flaw also impacts Linux, FreeBSD, and Solaris. 

Related: Multiple Vulnerabilities Patched in ASRock Drivers

Related: Dell Patches Vulnerability in Pre-installed SupportAssist Utility

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.