Gamer Alert: Serious Nvidia Flaw Plagues Graphics Driver

gaming nvidia gpu graphics driver

Several flaws found in Nvidia’s graphics drivers could enable denial of service, code execution and other malicious attacks.

Nvidia issued patches for high-severity vulnerabilities in its graphics driver, which can be exploited by a local attacker to launch denial-of-service (DoS) or code-execution attacks.

Nvidia’s graphics processing unit (GPU) display driver is used in devices targeted for enthusiast gamers; it’s the software component that enables the device’s operating system and programs to use its high-level graphics hardware. Specifically impacted are display drivers used in GeForce, Quadro and Tesla-branded GPUs for Windows.

The most severe flaw exists in the control panel component of the graphics driver, which is a utility program helping users monitor and adjust the settings of their graphics adapter. According to Nvidia in its security advisory, published Friday, an attacker with local system access can corrupt a system file in the control panel, which would lead to DoS or escalation of privileges.

The vulnerability (CVE‑2020‑5957) ranks 8.4 out of 10.0 on the CVSS scale, making it high-severity.

Another vulnerability, this one medium-severity, exists in the control panel of the graphics driver (CVE‑2020‑5958). An attacker with local system access could exploit this flaw by planting a malicious dynamic link library (DLL) file in the control panel, which may lead to code execution, DoS or information disclosure.

For both flaws in the graphics driver, the affected versions and subsequent patched versions are listed below. Patched versions are now available, with the exception of a patch for vulnerable R440 versions of Tesla for Windows; fixes for that will be available on the week of March 9.

Nvidia security vulnerability

Nvidia also disclosed several vulnerabilities in the Virtual GPU (vGPU) Manager, its tool that enables multiple virtual machines to have simultaneous, direct access to a single physical GPU, while also using Nvidia graphics drivers deployed on non-virtualized operating systems.

The most severe of these flaws exists in the vGPU plugin, “in which an input index value is incorrectly validated, which may lead to denial of service,” according to Nvidia. The vulnerability (CVE‑2020‑5959) is 7.8 out of 10.0 on the CVSS scale, making it high-severity.

Another medium-severity flaw  (CVE-2020-5960) in vGPU stems from the tool’s kernel mode (nvidia.ko) which is vulnerable to a null pointer dereference error. This type of error occurs when a program attempts to read or write to memory with a null pointer, causing a segmentation fault. The flaw can lead to denial of service, according to Nvidia.

Nvidia also addressed a medium-severity vulnerability in its vGPU graphics driver for guest operating systems. An “incorrect resource clean up on a failure path” in this driver can impact the guest virtual machine, leading to denial of service. A variety of versions are affected for these vGPU software flaws (they can be found here); Nvidia said that updated versions are upcoming in March.

It’s only the latest Nvidia security patch impacting its gaming-enthusiast customer base. Nvidia last year issued fixes for high-severity flaws in two popular gaming products, including its graphics driver for Windows and GeForce Experience. The flaws could be exploited to launch an array of malicious attacks – from DoS to escalation of privileges. Also in 2019, Nvidia patched another high-severity vulnerability in its GeForce Experience software, which could lead to code-execution or DoS of products, if exploited.

Suggested articles

Discussion

  • Yaseen on

    When has Nvidia not released a driver that has severe issues? This is a monthly occurrence, you'd think they'd sort out the security on a deliverable like this sooner!
  • Braheem Hazeem on

    I love how everyone jumps on amd driver issues, but no one is going to mention this.
  • Benjamin Williams on

    not a Gamer alert. The Quadro is a professional graphics card, it doesn't drop frames and is horrible at rendering them. It's a professional card used for CAD and other engineering software. Tesla is used for stream processes and general GPU, and it's extremely precise for calculations. So it also wouldn't be used for gaming, it's mostly used for making giant calculations accurately.
  • Chet on

    These all require local access?
  • Muhammad Yasir on

    Is this issue really harmful for Graphics card or harm hardware or make any Resolution related or artifacts in GPUs ? What is fix or solution of this problem?
  • Br on

    Just came here for the retarded comments...
  • Anonymous on

    This comment is misleading. The vulnerability affects the release driver for GeForce, Quadro, and Tesla cards. It is absolutely an alert for gamers.
  • InnocentCow on

    I have a GTX 1660 Super OC and I have been having strange irregular freezes and when I don't have the drivers my audio is shit too but it doesn't crash but I cant play games bc everything is shit without the drivers
  • Patrick Morris on

    While this alert seems to be targetted at gamers, the vulnerable vGPU software isn't. Like Benjamin Williams mentioned, it's used for things like virtualization of engineering applications. This isn't likely to effect gamers.
  • Derpus Derpitude on

    "in vGPU stems from the tool’s kernel mode (nvidia.ko) which is vulnerable to a null pointer" "kernel mode" should read "kernel module"
  • Rational human on

    It's the media hype train!!!! If you share space with someone that might have the means, then lock your desktop, if your stepping away from your computer for an extended period of time.
  • Anon on

    Everytime i see “requires local access” the “news” site that publishes this garbage gets blocked. You could do things MUCH worse that mess with someones gpu drivers with local access so wtf is the point in over hyping this nonsense?
  • Shiz briz on

    That's what I was looking at, if you get local access you can do a bit worse than this

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.