Nvidia Warns Windows Gamers of High-Severity Graphics Driver Flaws

Nvidia, which tends to make gaming-helpful graphics processing units (GPUs), on Thursday preset a slew of higher-severity flaws affecting its graphics driver. The vulnerabilities let lousy actors to cripple methods with denial of support attacks, escalate privileges, tamper with knowledge or sniff out delicate details.

Afflicted is Nvidia’s graphics driver (formally known as the GPU Display screen Driver) for Windows. The graphics driver is used in devices specific to fanatic players it is the software element that permits the device’s working technique and courses to use its superior-amount, gaming-optimized graphics components.

Nvidia’s Thursday security update addresses flaws tied to 16 CVEs all round. The most severe of these (CVE‑2021‑1051) is an issue in the graphic drivers’ kernel method layer. This flaw ranks 8.4 out of 10 on the CVSS scale, producing it large severity.

Kernel manner is usually reserved for the most affordable-stage, most dependable features of the functioning method in this scenario, the layer (nvlddmkm.sys) handler for the DxgkDdiEscape interface includes a glitch where by an procedure is carried out that could be abused to launch a denial-of-provider (DoS) attack or escalate privileges.

Yet another substantial-severity flaw (CVE‑2021‑1052) in this exact kernel method layer (nvlddmkm.sys) handler for DxgkDdiEscape could permit person-manner shoppers to entry legacy privileged software programming interfaces (APIs). In accordance to Nvidia, this “may guide to denial of support, escalation of privileges, and info disclosure.”

Nvidia also stomped out four medium-severity flaws in its graphics driver. Three of these (CVE‑2021‑1053, CVE‑2021‑1054, CVE‑2021‑1055) also stem from the kernel method layer (nvlddmkm.sys) handler for DxgkDdiEscape, even though the fourth (CVE‑2021‑1056) exists in a kernel manner layer (nvidia.ko) that does not wholly honor functioning procedure file technique permissions to present GPU gadget-stage isolation. That could let for DoS or information disclosure.

Further than its graphics motorists, Nvidia warned of flaws tied to nine large-severity CVEs in its digital GPU (vGPU) software. Nvidia’s vGPU generates graphics-forcused virtual desktops and workstations in tandem with the company’s info middle Tesla accelerator GPUs.

vGPU Software package Flaws

Quite a few of the flaws dealt with in Nvidia’s Thursday security advisory stem from Nvidia’s vGPU manager, its software that enables many digital equipment to have simultaneous, direct accessibility to a single physical GPU, even though also using Nvidia graphics drivers deployed on non-virtualized running methods.

One particular superior-severity flaw in exists in a plugin in just the vGPU manager (CVE‑2021‑1057). This issue could allow for visitors to allocate some sources for which they are not licensed – which according to Nvidia could lead to data integrity and confidentiality reduction, DoS and data disclosure. The vGPU manager also is made up of a flaw in the vGPU plugin (CVE‑2021‑1059), in which an enter index is not validated, which could guide to integer overflow. A race issue (CVE‑2021‑1061) in the vGPU plugin of the vGPU supervisor could essentially trick it into employing a earlier validated resource that has since altered, which may possibly direct to DoS or details disclosure.

And, in yet another Nvidia vGPU plugin issue (CVE‑2021‑1065), input details is not validated, which could guide to tampering of details or DoS.

Several Nvidia GeForce Windows and Linux driver branches are impacted Nvidia has launched a total list of afflicted versions and up-to-date driver variations on its security advisory. The graphics chip manufacturer has also introduced fixes for precise versions of the vGPU program impacted by these flaws on its web-site.

The security advisory is Nvidia’s initially in 2021. Last yr, the firm issued its good share of patches including fixes for two superior-severity flaws in the Windows model of its GeForce Practical experience computer software, and a patch for a critical bug in its high-functionality line of DGX servers, equally in Oct and a higher-severity flaw in its GeForce NOW software software program for Windows in November.

Supply-Chain Security: A 10-Issue Audit Webinar: Is your company’s software program supply-chain ready for an attack? On Wed., Jan. 20 at 2p.m. ET, begin identifying weaknesses in your offer-chain with actionable suggestions from gurus – part of a confined-engagement and Are living Threatpost webinar. CISOs, AppDev and SysAdmin are invited to check with a panel of A-checklist cybersecurity specialists how they can keep away from currently being caught uncovered in a put up-SolarWinds-hack environment. Attendance is constrained: Register Now and reserve a spot for this exceptional Threatpost Offer-Chain Security webinar — Jan. 20, 2 p.m. ET.