Nvidia Patches Many Vulnerabilities in Windows, Linux Display Drivers

The most severe of the security defects is CVE‑2022‑34669 (CVSS score of 8.8), an issue in the user mode layer of Nvidia’s Windows driver that could be exploited by an unprivileged attacker to access or tamper with system files or other files that the driver uses.

Successful exploitation of the bug, Nvidia says, could allow the attacker to execute arbitrary code, cause a denial-of-service (DoS) condition, escalate privileges, access restricted information, or modify data.

Another severe flaw in the Windows driver is CVE‑2022‑34671 (CVSS score of 8.5), an out-of-bounds write that could have similar effects.

A vulnerability in Nvidia Control Panel for Windows could allow an unauthorized attacker to escalate privileges, leak sensitive data, or execute commands. The bug is tracked as CVE‑2022‑34672 (CVSS score of 7.8).

The chip maker also announced patches for four high-severity vulnerabilities in the kernel mode layer of its display driver for Linux, which could lead to DoS conditions, information disclosure, or data tampering.

Nvidia’s November 2022 driver updates also address three high-severity issues in the company’s virtual GPU (vGPU) software.

Tracked as CVE‑2022‑42260 (CVSS score of 7.8), the most severe of these impacts a D-Bus configuration file in the vGPU display driver for Linux and could be exploited without authorization to execute code, create a DoS condition, escalate privileges, or leak or tamper with data.

Two other issues, CVE‑2022‑42261 and CVE‑2022‑42262, impact the Virtual GPU Manager (vGPU plugin) and could lead to data modification, information disclosure, or a DoS condition.

Nvidia also resolved 19 medium-severity vulnerabilities that could be exploited to cause DoS conditions, leak information, or tamper with data.

Users are advised to download and install the available patches as soon as possible. Additional details on the resolved vulnerabilities can be found in Nvidia’s security bulletin.

Leave a Reply

Your email address will not be published.