Update now! Nvidia released fixes for 10 flaws in Windows GPU drivers

Update now! Nvidia released fixes for 10 flaws in Windows GPU drivers

Multiple NVIDIA graphic card models have been found to have flaws in their GPU drivers, with six medium-and four high-severity ratings.

Last Monday, the company released a software security update for NVIDIA GPU Display Driverto address the vulnerabilities. If exploited, they could lead to denial of service, code execution, privilege escalation, and data tampering.

NVIDIA GeForce software, Studio, RTX/Quadro, NVS, and Tesla running Windows and Linux are all affected by this update, covering driver branches R450, R470, and R510. Here are the lists for Windowsand Unix/Linuxfor reference for driver branch histories.

The latest release also covers updates for already unsupported GTX 600 and GTX Kepler-series cards. This is NVIDIA honoring its promiseof continuing to provide support for these cards until September 2024—three years after the October 2021 end-of-support date.

Let’s look at each of the vulnerabilities up-close.

High-severity NVIDIA vulnerabilities

  • CVE-2022-28181.A malformed executable or shader file (a program that runs on the GPU) exploiting the
    DCL_INDEXABLE
    functionality could lead to memory corruption, code execution, data tampering, denial of service, privilege escalation, and information disclosure. Virtual machines and (theoretically) web browsers can trigger this vulnerability. This is exploitable over the network.
  • CVE-2022-28182. A malformed executable or shader file exploiting the
    DCL_INDEXRANGE
    ,
    DCL_RESOURCE_STRUCTURED
    , and
    DCL_UNORDERED_ACCESS_VIEW_STRUCTURED
    functionalities could lead to memory corruption, data tampering, denial of service, information disclosure, and privilege escalation. Virtual machines and (theoretically) web browsers can trigger this vulnerability. This is exploitable over the network.
  • CVE-2022-28183. An unprivileged user could cause an out-of-bounds read (a flaw that allows parts of the memory, which are allocated to more critical functions, to be manipulated), leading to a denial of service and information disclosure. This is exploited with local access.
  • CVE-2022-28184. An unprivileged user could access registers available only to administrator accounts, leading to data tampering, denial of service, and information disclosure. This is exploited with local access.

Medium-severity NVIDIA vulnerabilities

  • CVE-2022-28185. An out-of-bounds write in the ECC (error correction code) layercould lead to data tampering and denial of service.
  • CVE-2022-28186. A validation flaw in the kernel mode layer (
    nvlddmkm.sys
    ) could lead to data tampering and denial of service.
  • CVE-2022-28187. A memory management software flaw in the kernel mode layer (
    nvlddmkm.sys
    ) could lead to denial of service.
  • CVE-2022-28188. A validation flaw in kernel mode layer (
    nvlddmkm.sys
    ) handler for DxgkDdiEscape where input is not correctly validated for being able to process data safely, which could lead to denial of service.
  • CVE-2022-28189. A NULL pointer dereference in the kernel mode layer (
    nvlddmkm.sys
    ) handler for
    DxgkDdiEscape
    could lead to a system crash.
  • CVE-2022-28190. A validation flaw in kernel mode layer (
    nvlddmkm.sys
    ) handler for
    DxgkDdiEscape
    where improper input validation could lead to denial of service.

Patch as soon as possible

NVIDIA users are advised to download and applythe patches ASAP. The updates can also be applied via NVIDIA’s GeForce Experience suite.

ABOUT THE AUTHOR

Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.