This month, Nvidia's GPU Display Driver and related software updates address eight major exploits. All of them except one allow for code execution and open up vectors for escalation of privileges, data tampering, denial of service, and information disclosure. Impacted users of Nvidia GPU drivers and GPU software are advised to update as soon as possible.
Six CVEs are addressed in the main GPU display driver, while the two remaining ones—including the lone gap that didn't potentially allow code execution—were addressed within Nvidia's vGPU software.
Five of the relevant vulnerabilities within the GPU display drivers were for Windows specifically. They were all user mode layer exploits where users could cause out-of-bounds reads, including for the purpose of code execution, etc. One of the exploits was for both Windows and Linux versions of the GPU driver, allowing privileged attackers to escalate permissions from within the application.
The two Nvidia vGPU software vulnerabilities addressed have some similarities. Still, the higher-severity vGPU exploit that could enable code execution involved a vulnerability within the GPU kernel driver, which allowed "improper input validation by compromising the guest OS kernel." The slightly less severe exploit was within the Virtual GPU Manager, which allowed global system resources outside of the bounds of the vGPU Software to be utilized and potentially open up attack vectors.
The full Nvidia Security Bulletin will provide full links and more detailed information on the CVEs and relevant security patches. As an end user of an Nvidia GPU, you need to know that your most recent stable drivers will include security updates to cover these vulnerabilities, so you should apply those updates as soon as possible.
It's alarming that all of these vulnerabilities were found within Nvidia's GPU drivers, even on Linux— but it's relieving to see they've all already been patched. If your workloads relied on older Nvidia GPU drivers for compatibility reasons, needing to update to address these vulnerabilities could be an issue, but Nvidia GPU users dealing with high-sensitivity information should probably update anyway.
