NVIDIA warns of severe security bugs in Nvidia GPU Driver

Several severe vulnerabilities have been detected in Nvidia graphics processing unit (GPU), the major one being the CVE-2021-1074.

The vulnerability CVE-2021-1074 is under analysis. At current, what we have the information is that the Nvidia Windows GPU display driver  for Windows, R390 drive crash contains severe security flaw in its installer. The attackers replace the application resource using malicious files.

National Vulnerability Database warns that “such an attack may lead to code execution, escalation of privileges, denial of service, or information disclosure.”

Other vulnerabilities within GPU driver include CVE-2021-1075, CVE-2021-1076, CVE-2021-1077, and CVE-2021-1078.

The vulnerability CVE-2021-1075 is also classified as severe. It has rating of 7.3 out of 10. The flaws reside in kernel mode layer handler f or DxgkDdiEscape.

There the program dereferences a pointer containing a location for memory which is no longer valid. Due to this, attackers may conduct serious of actions that include code execution, denial of service, or escalation of privileges.

Vulnerabilities CVE-2021-1076 and CVE-2021-1077 are considered as of medium in term of severity. The first one resides in all former versions of NVIDOA GPU Display Driver for Windows and Linux. It is located in kernel mode layer (nvlddmkm.sys or nvidia.ko). The improper access to it may trigger denial of service, information disclosure, or data corruption attacks.

The second vulnerability resides in NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 driver branch. The flaws are in the way how the software utilizes a reference count to manage the resource is not correctly updated. It cause denial of service.

The vulnerability CVE-2021-1078 is vulnerability in kernel driver (nvlddmkm.sys) where a NULL pointer dereference could cause system crash.

 In addition, NVIDIA fixed total eight vulnerabilities in the NVIDIA’s vGPU software. You can get the more information about it on its official advisory.