Security News > 2021 > April > Gamers update! Nvidia patches GPU driver kernel escalation bugs
The patches cover 13 different CVE numbers, running from CVE-2021-1074 to CVE-2021-1078 for the GPU driver fixes, and from CVE-2021-1080 to CVE-2021-1087 for the vGPU products.
The GPU software bug that ended up with the highest "Base score" using the well-known CVSS bug-rating system was CVE-2021-1074, described as a "Vulnerability in the [GPU driver] installer where an attacker with local system access may replace an application resource with malicious files."
If the installation script language gives control over copying and replacing files or can specify external programs to run at install or update time, a crook may be able to trick the installer into performing malicious activities without needing a new and suspicious-looking.
Nvidia has a list of affected products plus the updated driver version numbers you want, as well as instructions on how to figure out which versions of its driver software are installed already.
By the way, if you were wondering where the missing bug number CVE-2021-1079 went from the sequences listed above, the answer is that it was allocated to a flaw in the Nvidia GeForce Experience software, not in any bugs in GPU drivers or vGPU packages.
If you use GeForce Experience, the bug that was patched could lead to code execution or to elevation of privilege, so you need to patch that software too, as explained in a separate Nvidia security bulletin.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-29 | CVE-2021-1080 | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), in which certain input data is not validated, which may lead to information disclosure, tampering of data, or denial of service. | 4.6 |
| 2021-04-29 | CVE-2021-1087 | Information Exposure vulnerability in Nvidia Virtual GPU Manager NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin), which could allow an attacker to retrieve information that could lead to a Address Space Layout Randomization (ASLR) bypass. | 2.1 |
| 2021-04-21 | CVE-2021-1074 | Unspecified vulnerability in Nvidia GPU Display Driver 390/392.61 NVIDIA GPU Display Driver for Windows installer contains a vulnerability where an attacker with local unprivileged system access may be able to replace an application resource with malicious files. local nvidia | 6.9 |
| 2021-04-21 | CVE-2021-1078 | NULL Pointer Dereference vulnerability in Nvidia GPU Display Driver NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel driver (nvlddmkm.sys) where a NULL pointer dereference may lead to system crash. | 4.9 |
| 2021-04-20 | CVE-2021-1079 | Unspecified vulnerability in Nvidia Geforce Experience NVIDIA GeForce Experience, all versions prior to 3.22, contains a vulnerability in GameStream plugins where log files are created using NT/System level permissions, which may lead to code execution, denial of service, or local privilege escalation. | 3.6 |