None of the bugs could be exploited remotely, so that should be a big sigh of relief for Nvidia GPU owners. However, the flaws could still allow for code execution, information disclosure, escalation of privilege and denial of service attacks when exploited locally. Without these patches, an attacker can use these to infect the user’s system via tactics such as convincing them to click on infected files sent via email or downloaded from hacked websites or ad networks.
The CVSS V3 scores of the bugs range from 5.1 to 7.8. Four of those 12 bugs are labeled high severity, while the other eight are labeled medium severity. The high severity bugs are vulnerabilities in the driver’s kernel-mode layer that can can lead to escalation privilege or denial of service attacks.
Referring to the bugs’ CVSS V3 scores, Nvidia largely downplayed the security vulnerabilities saying that the "risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation.”
The company then recommended users to consult a security professional to evaluate the risk of their own computers and to update their GeForce, Quadro, NVS and Tesla Windows GPU display drivers to the latest versions found on the company’s Driver Downloads page. However, some of the affected driver versions will be patched on November 18, according to Nvidia.
Nvidia also encouraged GFE users to update to the latest version either by downloading the new version manually or by using the utility’s automated update system.