May 18, 2022 

NVIDIA fixes 10 vulnerabilities, 2 Leading to ACE in Windows GPU display drivers

NVIDIA has released a security update that addresses 4 high-severity and 6 medium-severity vulnerabilities in its GPU drivers.  

The vulnerabilities can lead denial of service, information exposure, privilege elevation, arbitrary code execution (ACE), etc. 

The ACE Vulnerabilities

• CVE-2022-28181, High Severity (CVSS v3 score: 8.5) – a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components. 

• CVE-2022-28182 , High Severity (CVSS v3 score: 8.5) –  a vulnerability in the DirectX11 user mode driver (nvwgf2um/x.dll), where an unauthorized attacker on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution to cause denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components. 

Affected Products

• Tesla, RTX/Quadro, NVS, Studio, and GeForce software products, covering driver branches R450, R470, and R510. 

Mitigation

CYREBRO recommends downloading and installing the software update through the NVIDIA Driver Downloads page or for the vGPU software update, through the NVIDIA Licensing Portal. 

References: NVIDIA Advisory