Vulnerabilities > CVE-2023-44216 - Information Exposure Through Discrepancy vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
PVRIC (PowerVR Image Compression) on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification, aka a GPU.zip issue. For example, attackers can sometimes accurately determine text contained on a web page from one origin if they control a resource from a different origin.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| OS | 3 | |
| OS | 1 | |
| OS | 1 | |
| Hardware | 2 | |
| Hardware | 5 | |
| Hardware | 2 | |
| Hardware | 1 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
References
- https://blog.imaginationtech.com/introducing-pvric4-taking-image-compression-to-the-next-level/
- https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf
- https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/
- https://blog.imaginationtech.com/reducing-bandwidth-pvric/
- https://www.hertzbleed.com/gpu.zip/
- https://news.ycombinator.com/item?id=37663159
- https://github.com/UT-Security/gpu-zip
- https://www.w3.org/TR/filter-effects-1/
- https://www.bleepingcomputer.com/news/security/modern-gpus-vulnerable-to-new-gpuzip-side-channel-attack/