Nvidia patched 29 security flaws in its GPU display driver, out of which 10 are high severity. These flaws could allow an unprivileged user to modify files, and escalate privileges, execute code, tamper with or steal data, or even take over your device.
The flaws affect different Nvidia software products: GeForce, Studio, Nvidia RTX, Quadro, NVS, and Tesla running on Windows systems. Plus GeForce, Nvidia RTX, Quadro, NVS, and Tesla on Linux-based devices.
The most severity flaw, tracked as CVE-2022-34669 with CVSS of 8.8, affects the Windows version of the GPU display driver. This vulnerability could allow an unprivileged regular user access or modify system files or other files that are critical to the application. Successful exploitation could lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.
CVE-2022-34671 with a CVSS of 8.5 hat also affects the Windows product exists in the GPU display driver user mode layer. This could allow an unprivileged user to cause an out-of-bounds write, also leading to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.
CVE-2022-34672 with CVSS score of 7.8, a vulnerability in the control panel for Windows that could allow an unauthorized user to gain privileges, read sensitive information and execute commands.
CVE-2022-34670 with CVSS score of 7.8, a vulnerability in the kernel mode layer handler of the GPU display driver for Linux. An unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size, causing data to be lost in the conversion, which may lead to denial of service or information disclosure.
CVE-2022-42260 with CVSS score of 7.8, also in the Linux version of the GPU display driver. This one is due to improper preservation of permissions in the D-Bus configuration file. An unauthorized user in the guest VM could exploit this bug on protected D-Bus endpoints, leading to code execution, denial of service, escalation of privileges, information disclosure, or data tempering.
CVE-2022-42261 with CVSS score of 7.8 , a flaw in the virtual GPU management software, doesn’t properly validate an input index, leading to a buffer overrun, causing data tampering, information disclosure or denial of service.
Nvidia didn’t release much information on the vulnerabilities since customers need to get updated to the latest version and prevent attackers from exploiting the flaws.