Nvidia’s mid-January GPU driver update addresses several vulnerabilities and exploits

by Pelican Press
2 minutes read

Nvidia’s mid-January GPU driver update addresses several vulnerabilities and exploits

Nvidia’s mid-January GPU driver update addresses several vulnerabilities and exploits

Nvidia has released updates to its GPU display driver and VGPU software that, combined, address a total of seven security vulnerabilities. Two of these are high-severity vulnerabilities enabling information disclosure, data tampering, denial of service, and in the case of the High-Severity vGPU software issue, even code execution. On Windows, all GPU driver versions prior to 553.62 and 539.19 (on branches R550 and R535 respectively) are vulnerable.

Over on the GPU Display Driver Security Bulletin page, Nvidia said five specific vulnerabilities are being addressed. The lowest severity issue, CVE-2024-0149, relates to unauthorized file access on the Linux driver, which could lead to information disclosure.

Two medium-severity memory-related issues, CVE-2024-0147 and CVE-2024-53869, relate to referencing memory after it has been freed on Windows or Linux, or causing a Linux-specific uninitialized memory leak, respectively. CVE-2024-0147 unpatched could cause denial of service and data tampering, while CVE-2024-53869 could cause information disclosure.

Finally, on the main GPU driver front, two buffer-related vulnerabilities are being addressed in the GPU Driver security updates for Windows and Linux — the medium severity CVE-2024-0131 and the high severity CVE-2024-0150.

CVE-2024-0131 allows for a denial of service attack by reading a buffer with an incorrect length. Meanwhile, CVE-2024-0150 is even more severe, exploiting an issue data is erroneously written past or after a buffer, which could lead to information disclosure, data tampering, and denial of service.

Over on the VGPU software side, there are only two vulnerabilities — the high severity CVE-2024-0146 and the medium severity CVE-2024-53881. The latter, despite its more intimidating number, only refers to a denial of service vulnerability caused by an opening for a guest to cause an interrupt storm on the host. More worrying is the high severity CVE-2024-0146, which allows a whole range of denial of service, information disclosure, and data tampering up to code execution — since the exploit can be used to corrupt the GPU’s memory.

Fortunately, all of these issues are addressed in the latest driver updates — on Windows, these will be any updates at or newer than 553.62 or 539.19 depending on which Nvidia driver branch you happen to be on. If you already have GeForce Experience installed, you should be automatically prompted to install the driver update before long. If you’d like to toggle it manually or do a more manual install, head over to Nvidia’s official driver downloads page.



Source link

#Nvidias #midJanuary #GPU #driver #update #addresses #vulnerabilities #exploits

You may also like