NVIDIA has released a security update for its GPU display driver for Windows, containing a fix for a high-severity flaw that threat actors can exploit to perform, among other things, code execution and privilege escalation.
The latest security update addresses 25 vulnerabilities on the Windows and Linux GPU drivers, while seven flaws are categorized as high-severity.
The two most critical vulnerabilities are:
- CVE-2022-34669 (CVSS v3.1: 8.8) – Locally exploited user mode flaw in the Windows GPU driver allowing an unprivileged regular user to access or modify files critical to the application, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service.
- CVE-2022-34671 (CVSS v3.1: 8.5) – Remotely exploited user mode flaw in the Windows GPU driver allowing an unprivileged regular user to cause an out-of-bounds write, potentially leading to code execution, privilege escalation, information disclosure, data tampering, and denial of service.
CVE-2022-34671 has a lower severity rating despite being vulnerable to network attacks because of its high complexity, making its exploitation less likely.
However, the CVE-2022-34669 flaw is more helpful to hackers and malware developers who already have access to a Windows device and are looking for ways to escalate their privileges or execute code.
GPU and hardware drivers run with elevated privileges on the OS, so exploiting a vulnerability in a driver provides the same high level of privileges to malicious code or commands.
Considering the popularity of NVIDIA products, there’s a high chance of finding vulnerable GPU drivers on targeted computers, allowing attackers to exploit these flaws to gain greater privileges and spread further on a network.
NVIDIA has yet to release in-depth technical details about these flaws, allowing users enough time to patch first.
The NVIDIA driver versions that fix these vulnerabilities are the following:
Linux users should consult this GPU driver version table instead:
Check out NVIDIA’s security bulletin for details on all 25 fixes and every software and hardware product covered in this month’s update.
Users are recommended to apply the released security updates by downloading the latest available version of the driver for their GPU model from NVIDIA’s download central, where they can select the specific product and OS they are using.
The updates can also be fetched and applied automatically through NVIDIA’s GeForce Experience suite.