NVIDIA has released a new software security update for its GPU display driver to address thirteen potential vulnerabilities that may lead to code execution, denial of service, escalation of privileges, and information disclosure. They include a vulnerability in the driver installer that could allow an attacker with local system access to replace an application resource with malicious files, and another in the kernel driver that could lead to a system crash. NVIDIA customers can grab the software update through green team’s official driver downloads page.
NVIDIA GPU DISPLAY DRIVER
| CVE IDs | Description | Base Score | Vector |
|---|---|---|---|
| CVE‑2021‑1074 | NVIDIA Windows GPU Display Driver for Windows contains a vulnerability in its installer where an attacker with local system access may replace an application resource with malicious files. Such an attack may lead to code execution, escalation of privileges, denial of service. and information disclosure. | 7.5 | AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVE‑2021‑1075 | NVIDIA Windows GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the program dereferences a pointer that contains a location for memory that is no longer valid, which may lead to code execution, denial of service, or escalation of privileges. | 7.3 | AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H |
| CVE‑2021‑1076 | NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption. | 6.6 | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H |
| CVE‑2021‑1077 | NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability where the software uses a reference count to manage a resource that is incorrectly updated, which may lead to denial of service. | 6.6 | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H |
| CVE‑2021‑1078 | NVIDIA Windows GPU Display Driver for Windows contains a vulnerability in the kernel driver (nvlddmkm.sys) where a NULL pointer dereference may lead to system crash. | 5.5 | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
NVIDIA VGPU SOFTWARE
| CVE IDs | Description | Base Score | Vector |
|---|---|---|---|
| CVE‑2021‑1080 | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), in which certain input data is not validated, which may lead to information disclosure, tampering of data, or denial of service. | 7.8 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE‑2021‑1081 | NVIDIA vGPU software contains a vulnerability in the guest kernel mode driver and Virtual GPU manager (vGPU plugin), in which an input length is not validated, which may lead to information disclosure, tampering of data, or denial of service. | 7.8 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE‑2021‑1082 | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), in which an input length is not validated, which may lead to information disclosure, tampering of data, or denial of service. | 7.8 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE‑2021‑1083 | NVIDIA vGPU software contains a vulnerability in the guest kernel mode driver and Virtual GPU Manager (vGPU plugin), in which an input length is not validated, which may lead to information disclosure, tampering of data, or denial of service. | 7.8 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE‑2021‑1084 | NVIDIA vGPU driver contains a vulnerability in the guest kernel mode driver and Virtual GPU Manager (vGPU plugin), in which an input length is not validated, which may lead to tampering of data or denial of service. | 7.8 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE‑2021‑1085 | NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where there is the potential to write to a shared memory location and manipulate the data after the data has been validated, which may lead to denial of service and escalation of privileges. | 7.3 | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H |
| CVE‑2021‑1086 | NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin) where it allows guests to control unauthorized resources, which may lead to integrity and confidentiality loss or information disclosure. | 7.1 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| CVE‑2021‑1087 | NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin), which could allow an attacker to retrieve information that could lead to a Address Space Layout Randomization (ASLR) bypass. | 5.5 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.
Source: NVIDIA Support, Threatpost