The Nvidia graphics processing unit (GPU) display driver contains a series of vulnerabilities, the most severe of which is CVE-2021-1074.
The vulnerability currently is undergoing analysis. What is known so far is that NVIDIA Windows GPU Display Driver for Windows, R390 driver branch, contains a severe security flaw in its installer where an attacker with local system access may replace an application resource with malicious files. “Such an attack may lead to code execution, escalation of privileges, denial of service, or information disclosure,” the National Vulnerability Database warns.
The rest of the flaws within GPU driver include CVE-2021-1075, CVE-2021-1076, CVE-2021-1077, and CVE-2021-1078.
This vulnerability is also classified as severe, with a rating of 7.3 out of1 10 according to the CVSS scale.
Another high-severity bug, CVE-2021-1075, rates 7.3 on the CVSS scale. The flaw resides in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the program dereferences a pointer that contains a location for memory that is no longer valid. This condition may cause various attack scenarios, including code execution, denial of service, or escalation of privileges.
CVE-2021-1076 and CVE-2021-1077
Both vulnerabilities are medium in terms of severity, with a security rating of 6.6 out of 10.
The first vulnerability resides in all versions of the former NVIDIA GPU Display Driver for Windows and Linux. The flaw is located in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control could trigger denial of service, information disclosure, or data corruption attacks. The second vulnerability resides in the latter NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 driver branch. The security flaw stems from the way the software utilizes a reference count to manage a resource that is incorrectly updated. This condition may cause denial of service.
This vulnerability is rated 5.5 out of 10. The display driver for Windows systems is vulnerable in the kernel driver (nvlddmkm.sys) where a NULL pointer dereference could cause system crash.
Please note that “the NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation.” To evaluate the risk to a specific configuration, the company recommends consulting a security or IT professional.
In addition, the Nvidia team fixed eight separate vulnerabilities in Nvidia’s vGPU software. More details are available in the official advisory.
Earlier this year, Nvidia patched 16 vulnerabilities in the Nvidia GPU display driver and vGPU software, some of which severe.