NVIDIA GeForce Experience for Windows has been found to contain a security vulnerability, CVE‑2019‑5674, that could allow local attackers to elevate privileges, trigger code execution, and carry out denial-of-service attacks.
Even though the vulnerability requires local user access, it could still be exploited remotely with the help of previously planted malicious tools on a system running the vulnerable NVIDIA GeForce Experience.
More about CVE‑2019‑5674
According to the official description, the update that addresses the vulnerability fixes an issue that may lead to code execution, denial of service, or escalation of privileges. The flaw has a high secerity rating and an 8.8 base score.
“The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration”, the advisory says.
The bug was reported by Rhino Security Labs researcher David Yesland.
It should be noted that all GeForce Experience versions before version 3.18 are affected. More specifically, Windows systems running one of these versions along with enabled ShadowPlay, NvContainer, or GameStream are in danger of attacks.
If you have one of the vulnerable versions of NVIDIA GeForce Experience, you should download the latest version as soon as possible. To do so, go to GeForce Experience download page, where you can directly download the patched version.
In February, eight security issues were discovered (and patched) in the NVIDIA GPU Display Driver software, with one of the vulnerabilities affecting both Linux and Windows systems. The vulnerabilities could also lead to code execution, escalation of privileges, denial of service attacks, and information disclosure.
In similarity to the current vulnerability, despite the vulnerabilities requiring local access, hackers could still exploit them with the help of malicious software installed on a system running the vulnerable driver. The vulnerabilities in question are CVE 2019 5665, CVE 2019 5666, CVE 2019 5667, CVE 2019 5668, CVE 2019 5669, CVE 2019 5670, CVE 2019 5671, CVE 2018 6260.