None of the bugs could be exploited remotely, so that should be a big sigh of relief for Nvidia GPU owners. However, the flaws could still allow for code execution, information disclosure, escalation of privilege and denial of service attacks when exploited locally. Without these patches, an attacker can use these to infect the user’s system via tactics such as convincing them to click on infected files sent via email or downloaded from hacked websites or ad networks.
The CVSS V3 scores of the bugs range from 5.1 to 7.8. Four of those 12 bugs are labeled high severity, while the other eight are labeled medium severity. The high severity bugs are vulnerabilities in the driver’s kernel-mode layer that can can lead to escalation privilege or denial of service attacks.
Referring to the bugs’ CVSS V3 scores, Nvidia largely downplayed the security vulnerabilities saying that the "risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation.”
The company then recommended users to consult a security professional to evaluate the risk of their own computers and to update their GeForce, Quadro, NVS and Tesla Windows GPU display drivers to the latest versions found on the company’s Driver Downloads page. However, some of the affected driver versions will be patched on November 18, according to Nvidia.
Nvidia also encouraged GFE users to update to the latest version either by downloading the new version manually or by using the utility’s automated update system.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen — Chinese and US researchers show new side channel can reproduce fingerprints to enable attacks
Russian military botnet discovered on 1000+ compromised routers — FBI deactivated Moobot by taking control of impacted routers