Security News > 2022 > December > Nvidia patches 29 GPU driver bugs that could lead to code execution, device takeover
Nvidia fixed more than two dozen security flaws in its GPU display driver, the most severe of which could allow an unprivileged user to modify files, and then escalate privileges, execute code, tamper with or steal data, or even take over your device.
In total, the chipmaker patched 29 vulnerabilities affecting Windows and Linux products, including 10 high-severity bugs.
The most severe of the bunch, tracked as CVE-2022-34669, affects the Windows version of the GPU display driver and received a CVSS score of 8.8.
Another high-severity flaw that also affects the Windows product and received an 8.5 CVSS rating exists in the GPU display driver user mode layer.
CVE-2022-34670, which is found in the kernel mode layer handler of the GPU display driver for Linux.
The 29 bugs detailed in the security bulletin affect several different Nvidia software products: GeForce, Studio, Nvidia RTX, Quadro, NVS, and Tesla running on Windows systems.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/12/01/nvidia_gpu_driver_bugs/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-12-30 | CVE-2022-34670 | Incorrect Conversion between Numeric Types vulnerability in multiple products NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure. | 7.8 |
2022-12-30 | CVE-2022-34669 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Nvidia Cloud Gaming and Virtual GPU NVIDIA GPU Display Driver for Windows contains a vulnerability in the user mode layer, where an unprivileged regular user can access or modify system files or other files that are critical to the application, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | 7.8 |