Nvidia has disclosed 25 vulnerabilities found across their GPU product lineup. Due to Nvidia’s popularity among multiple different consumer and enterprise product spaces, the potential fallout may be concerning. Among the 25 security flaws are two of high severity. The security bulletin released by Nvidia describes them as follows:
- CVE-2022-34669 (CVSS v3.1: 8.8) – Locally exploited user mode flaw in the Windows GPU driver allowing an unprivileged regular user to access or modify files critical to the application, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service.
- CVE-2022-34671 (CVSS v3.1: 8.5) – Remotely exploited user mode flaw in the Windows GPU driver allowing an unprivileged regular user to cause an out-of-bounds write, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service.
Even though CVE-2022-34671 offers the potential for remote code execution, it has received a lower CVSS score due to the complexity of the flaw and the difficulty required to exploit it. While the most useful flaws for threat actors are typically code execution and privilege escalation, the vulnerabilities listed above have a wide range of potential for abuse. At this time, it does not appear that there are any publicly available proof-of-concept exploits that take advantage of these vulnerabilities.
Nvidia has not released any detail rich information of the specifics of these security flaws in order to allow users time to update their drivers before proof-of-concept exploitation tools are developed.
Nvidia users can reference Nvidia’s security bulletin to identify their GPU or other product and the appropriate driver version to patch these vulnerabilities here: https://nvidia.custhelp.com/app/answers/detail/a_id/5415
Users can then download the appropriate driver for their device from Nvidia’s download center here: https://www.nvidia.com/download/index.aspx
Users of Nvidia’s GeForce Experience software should also have the update available to them automatically, allowing them to install with ease.