NVIDIA GeForce Experience users who haven’t updated their software recently may want to do that straight away. According to a new security bulletin posted on NVIDIA’s official support site, GeForce Experience has received a new software security update that addresses three potential vulnerabilities, including one with a base score of 8.2 that could lead to data tampering. NVIDIA has thanked Minse Kim of DNSLab (Defensible Networked Systems Lab., Korea University) for discovering two of these vulnerabilities in its GeForce Experience software, which serves as a portal for keeping GeForce drivers up to date, optimizing game settings, and more.
From an NVIDIA Support post:
NVIDIA has released a software security update for NVIDIA GeForce Experience software. This update addresses issues that may lead to code execution, information disclosure, data tampering, and denial of service.
To protect your system, download and install this software update through the GeForce Experience Downloads page, or open the client to automatically apply the security update.
|CVE ID||Description||Base Score||Vector|
|CVE‑2022‑42291||NVIDIA GeForce Experience contains a vulnerability in the installer, where a user installing the NVIDIA GeForce Experience software may inadvertently delete data from a linked location, which may lead to data tampering. An attacker does not have explicit control over the exploitation of this vulnerability, which requires the user to explicitly launch the installer from the compromised directory.||8.2||AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H|
|CVE‑2022‑31611||NVIDIA GeForce Experience contains an uncontrolled search path vulnerability in all its client installers, where an attacker with user level privileges may cause the installer to load an arbitrary DLL when the installer is launched. A successful exploit of this vulnerability could lead to escalation of privileges and code execution.||6.8||AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H|
|CVE‑2022‑42292||NVIDIA GeForce Experience contains a vulnerability in the NVContainer component, where a user without administrator privileges can create a symbolic link to a file that requires elevated privileges to write to or modify, which may lead to denial of service, escalation of privilege or limited data tampering.||5.0||AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H|
NVIDIA Software Products Affected
|CVE IDs Addressed||Software Product||Operating System||Affected Versions||Updated Version|
|GeForce Experience||Windows||All versions prior to 18.104.22.168||22.214.171.124|